CVE-2024-14026

High

Published: 11 March 2026

Published

11 March 2026

Modified

12 March 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 2.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-14026 is a high-severity OS Command Injection (CWE-78) vulnerability in Qnap Quts Hero. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly addresses the command injection vulnerability by requiring timely flaw remediation through patching to the fixed QNAP versions, preventing exploitation.

SI-10 Information Input Validation good match

prevent

Prevents command injection by enforcing validation of user inputs at system interfaces before they are processed as commands.

AC-6 Least Privilege good match

prevent

Limits the impact of arbitrary command execution by ensuring user accounts operate with least privilege, reducing potential damage from local network exploitation.

NVD Description

A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. We have…

already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.1.9.2954 build 20241120 and later QuTS hero h5.2.3.3006 build 20250108 and later

Deeper analysisAI

CVE-2024-14026 is a command injection vulnerability (CWE-78) affecting several versions of QNAP operating systems, including QTS and QuTS hero. Published on 2026-03-11, it carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H), indicating high impact potential with low complexity and privileges required.

The vulnerability can be exploited by an attacker who has obtained local network access and a user account on the affected system. Successful exploitation allows the execution of arbitrary commands, enabling high levels of compromise in confidentiality, integrity, and availability.

QNAP has fixed the vulnerability in QTS 5.1.9.2954 build 20241120 and later, QTS 5.2.3.3006 build 20250108 and later, QuTS hero h5.1.9.2954 build 20241120 and later, and QuTS hero h5.2.3.3006 build 20250108 and later. Additional details are available in the QNAP security advisory at https://www.qnap.com/en/security-advisory/qsa-24-54.

Details

CWE(s): CWE-78

Affected Products

qnap

qts

5.1.0.2348, 5.1.0.2399, 5.1.0.2418, 5.1.0.2444, 5.1.0.2466

qnap

quts hero

h5.1.0.2409, h5.1.0.2424, h5.1.0.2453, h5.1.0.2466, h5.1.1.2488

CVEs Like This One

CVE-2025-30264Same product: Qnap Qts

CVE-2025-66277Same product: Qnap Qts

CVE-2024-53693Same product: Qnap Qts

CVE-2025-52864Same product: Qnap Qts

CVE-2024-53699Same product: Qnap Qts

CVE-2024-13086Same product: Qnap Qts

CVE-2025-59385Same product: Qnap Qts

CVE-2025-52863Same product: Qnap Qts

CVE-2025-62849Same product: Qnap Qts

CVE-2025-9110Same product: Qnap Qts

References

https://www.qnap.com/en/security-advisory/qsa-24-54
Vendor Advisory · security@qnapsecurity.com.tw