CVE-2017-7876
critical
CVSS v3
10.0
CVSS v2
7.5
VIR risk
10.0
Description
This command injection vulnerability in QTS allows attackers to run arbitrary commands in the compromised application. QNAP have already fixed the issue in QTS 4.2.6 build 20170517, QTS 4.3.3.0174 build 20170503 and later versions.
Predictions
Exploit likelihood
98%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No vendor mitigations ingested yet for this CVE. The mitigation-content worker queues fetches as references arrive — check back in a few minutes, or see the references list below.
References
- https://www.qnap.com/en/release-notes/qts/4.2.6/20170517
- https://www.qnap.com/en/release-notes/qts/4.3.3.0174/20170503
- https://www.qnap.com/zh-tw/security-advisory/nas-201707-12
- https://www.qnap.com/en/release-notes/qts/4.2.6/20170517
- https://www.qnap.com/en/release-notes/qts/4.3.3.0174/20170503
- https://www.qnap.com/zh-tw/security-advisory/nas-201707-12
CWEs
CWE-77
Verify integrity in audit chain (admin only). AS-IS.