Cyber Resilience

CVE-2026-22900

Medium

Published: 20 March 2026

Published
20 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v4 6.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0032 23.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-22900 is a medium-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Qnap Qunetswitch. Its CVSS base score is 6.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22900 is a use of hard-coded credentials vulnerability (CWE-798) affecting QuNetSwitch from QNAP. Published on 2026-03-20, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites for exploitation.

Remote, unauthenticated attackers can exploit the vulnerability over the network by leveraging the hard-coded credentials to gain unauthorized access to affected QuNetSwitch devices. This access enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing full control over the device.

QNAP's security advisory confirms the vulnerability has been fixed in QuNetSwitch version 2.0.5.0906 and later. Administrators should update to a patched version immediately to mitigate risks, with full details available at https://www.qnap.com/en/security-advisory/qsa-26-11.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Hard-coded credentials enable use of default accounts for unauthorized remote access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22897Same product: Qnap Qunetswitch
CVE-2026-22901Same product: Qnap Qunetswitch
CVE-2025-59388Same product class: NAS / storage appliance
CVE-2025-30264Same product class: NAS / storage appliance
CVE-2025-44015Same product class: NAS / storage appliance
CVE-2025-54153Same product class: NAS / storage appliance
CVE-2024-53697Same product class: NAS / storage appliance
CVE-2024-48864Same product class: NAS / storage appliance
CVE-2025-52868Same product class: NAS / storage appliance
CVE-2024-53700Same product class: NAS / storage appliance

Affected Assets

qnap
qunetswitch
2.0.1.13077 — 2.0.5.0906

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely installation of vendor patches like QuNetSwitch 2.0.5.0906 to remediate the hard-coded credentials vulnerability and prevent unauthorized access.

prevent

Prohibits hard-coded and default authenticators by mandating their management, changing, and replacement to block exploitation for unauthorized access.

prevent

Enables review, monitoring, and disabling of accounts associated with hard-coded credentials to limit unauthorized remote access opportunities.

References