Cyber Resilience

CVE-2018-19949

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linkedRCE

Published: 28 October 2020

Published
28 October 2020
Modified
03 November 2025
KEV Added
24 May 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4417 97.6th percentile
Risk Priority 66 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-19949 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Qnap Qts. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.4% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2018-19949 is a command injection vulnerability stemming from improper input validation, tracked under CWEs 20, 77, and 78. It affects multiple versions of QNAP QTS network-attached storage firmware and carries a CVSS 3.1 base score of 9.8.

Unauthenticated remote attackers can exploit the flaw over the network to execute arbitrary operating-system commands, resulting in full compromise of confidentiality, integrity, and availability on the affected device.

QNAP has released fixes in QTS 4.4.2.1231 build 20200302, 4.4.1.1201 build 20200130, 4.3.6.1218 build 20200214, 4.3.4.1190 build 20200107, 4.3.3.1161 build 20200109, and 4.2.6 build 20200109, as detailed in security advisory QSA-20-01.

The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.

EU & UK References

Vulnerability details

If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214;…

more

QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109.

CWE(s)
KEV Date Added
24 May 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qnap
qts
4.2.6 · ≤ 4.2.6 · 4.3.1.0013 — 4.3.3.1161 · 4.3.4 — 4.3.4.1190

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of all inputs to block the unsanitized data that enables command injection.

prevent

Mandates prompt application of the vendor patches listed in QSA-20-01 that eliminate the injection flaw.

prevent

Boundary-protection rules can restrict network exposure of the affected QTS interfaces to reduce unauthenticated remote attack surface.

References