Cyber Resilience

CVE-2024-14026

Low

Published: 11 March 2026

Published
11 March 2026
Modified
12 March 2026
KEV Added
Patch
CVSS Score v4 2.0 CVSS:4.0/AV:P/AC:L/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 3.9th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-14026 is a low-severity OS Command Injection (CWE-78) vulnerability in Qnap Quts Hero. Its CVSS base score is 2.0 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 3.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2024-14026 is a command injection vulnerability (CWE-78) affecting several versions of QNAP operating systems, including QTS and QuTS hero. Published on 2026-03-11, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H), indicating high impact potential with low complexity and privileges required.

The vulnerability can be exploited by an attacker who has obtained local network access and a user account on the affected system. Successful exploitation allows the execution of arbitrary commands, enabling high levels of compromise in confidentiality, integrity, and availability.

QNAP has fixed the vulnerability in QTS 5.1.9.2954 build 20241120 and later, QTS 5.2.3.3006 build 20250108 and later, QuTS hero h5.1.9.2954 build 20241120 and later, and QuTS hero h5.2.3.3006 build 20250108 and later. Additional details are available in the QNAP security advisory at https://www.qnap.com/en/security-advisory/qsa-24-54.

EU & UK References

Vulnerability details

A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have…

more

already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.3.3006 build 20250108 and later

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Command injection (CWE-78) directly enables arbitrary Unix shell command execution (T1059.004) and facilitates local privilege escalation (T1068) from low-privileged accounts.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-30264Same product: Qnap Qts
CVE-2025-30273Same product: Qnap Qts
CVE-2024-53697Same product: Qnap Qts
CVE-2025-48725Same product: Qnap Qts
CVE-2025-52872Same product: Qnap Qts
CVE-2025-66277Same product: Qnap Qts
CVE-2024-53699Same product: Qnap Qts
CVE-2025-52863Same product: Qnap Qts
CVE-2025-59385Same product: Qnap Qts
CVE-2024-53693Same product: Qnap Qts

Affected Assets

qnap
qts
5.1.0.2348, 5.1.0.2399, 5.1.0.2418, 5.1.0.2444, 5.1.0.2466
qnap
quts hero
h5.1.0.2409, h5.1.0.2424, h5.1.0.2453, h5.1.0.2466, h5.1.1.2488

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the command injection vulnerability by requiring timely flaw remediation through patching to the fixed QNAP versions, preventing exploitation.

prevent

Prevents command injection by enforcing validation of user inputs at system interfaces before they are processed as commands.

prevent

Limits the impact of arbitrary command execution by ensuring user accounts operate with least privilege, reducing potential damage from local network exploitation.

References