Cyber Resilience

CVE-2023-47565

HighCISA KEVActive ExploitationEUVD Exploited

Published: 08 December 2023

Published
08 December 2023
Modified
26 February 2026
KEV Added
21 December 2023
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8675 99.4th percentile
Risk Priority 88 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-47565 is a high-severity OS Command Injection (CWE-78) vulnerability in Qnap Qvr Firmware. Its CVSS base score is 8.0 (High).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

An OS command injection vulnerability tracked as CVE-2023-47565 affects legacy QNAP VioStor NVR models running QVR Firmware 4.x. The flaw, assigned CWE-78, permits execution of arbitrary operating-system commands and carries a CVSS 3.1 score of 8.0 reflecting network-adjacent attack vector, low complexity, and low-privileged authenticated access that can fully compromise confidentiality, integrity, and availability.

An authenticated user on the same network segment can supply crafted input to trigger the injection, resulting in arbitrary command execution on the affected NVR appliance. Successful exploitation therefore allows an attacker to run commands with the privileges of the vulnerable process, potentially leading to full device takeover.

QNAP security advisory QSA-23-48 states that the issue has been resolved in QVR Firmware 5.0.0 and later releases; administrators are advised to upgrade affected legacy devices to a supported firmware branch. The vulnerability is also listed in the CISA Known Exploited Vulnerabilities catalog.

The associated EPSS score currently stands at 0.8675 with a recorded peak of 0.8808, indicating sustained exploitation interest after disclosure.

EU & UK References

Vulnerability details

An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in…

more

the following versions: QVR Firmware 5.0.0 and later

CWE(s)
KEV Date Added
21 December 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qnap
qvr firmware
4.0.0 — 5.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of the vendor-supplied QVR Firmware 5.0.0+ update that removes the command-injection flaw.

prevent

Mandates validation and sanitization of all network-supplied input before it is passed to OS command interpreters, blocking CWE-78 exploitation.

prevent

Limits the commands an authenticated low-privilege user can execute, reducing the impact of a successful injection on the NVR appliance.

References