Cyber Resilience

CVE-2020-2509

CriticalCISA KEVActive ExploitationEUVD ExploitedRCE

Published: 17 April 2021

Published
17 April 2021
Modified
27 October 2025
KEV Added
11 April 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8396 99.3th percentile
Risk Priority 90 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-2509 is a critical-severity Command Injection (CWE-77) vulnerability in Qnap Qts. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2020-2509 is a command injection vulnerability affecting QNAP QTS and QuTS hero network-attached storage operating systems. The flaw, tracked under CWE-77 and CWE-78, permits improper neutralization of special elements used in commands and carries a CVSS v3.1 base score of 9.8 reflecting network attack vector, low complexity, and no required privileges or user interaction.

Unauthenticated remote attackers can exploit the issue to execute arbitrary commands inside the compromised application, resulting in impacts to confidentiality, integrity, and availability.

QNAP's security advisory QSA-21-05 states that the vulnerability has been fixed in QTS 4.5.2.1566 build 20210202 and later, QTS 4.5.1.1495 build 20201123 and later, QTS 4.3.6.1620 build 20210322 and later, QTS 4.3.4.1632 build 20210324 and later, QTS 4.3.3.1624 build 20210416 and later, QTS 4.2.6 build 20210327 and later, and QuTS hero h4.5.1.1491 build 20201119 and later.

The CVE is listed in the CISA known exploited vulnerabilities catalog, confirming observed real-world exploitation.

EU & UK References

Vulnerability details

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS 4.5.2.1566 Build…

more

20210202 and later QTS 4.5.1.1495 Build 20201123 and later QTS 4.3.6.1620 Build 20210322 and later QTS 4.3.4.1632 Build 20210324 and later QTS 4.3.3.1624 Build 20210416 and later QTS 4.2.6 Build 20210327 and later QuTS hero h4.5.1.1491 build 20201119 and later

CWE(s)
KEV Date Added
11 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qnap
qts
4.2.6, 4.3.3.0174, 4.3.3.0868, 4.3.3.0998, 4.3.3.1051 · ≤ 4.2.6 · 4.3.5 — 4.3.6 · 4.4.0 — 4.5.1
qnap
quts hero
h4.5.1, h4.5.1.1472 · ≤ h4.5.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of input data to block special characters that enable command injection (CWE-77/78) exploited by CVE-2020-2509.

prevent

Mandates timely application of vendor patches that remediate the command-injection flaw, matching the exact fixed QTS/QuTS hero builds listed in the advisory.

prevent

Enforces disabling or restricting unnecessary services and functions that expose the vulnerable command-processing interfaces in QNAP NAS devices.

References