Cyber Posture

CVE-2026-22900

Critical

Published: 20 March 2026

Published
20 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 40.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22900 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Qnap Qunetswitch. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 40.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Requires timely installation of vendor patches like QuNetSwitch 2.0.5.0906 to remediate the hard-coded credentials vulnerability and prevent unauthorized access.

IA-5 Authenticator Management good match
prevent

Prohibits hard-coded and default authenticators by mandating their management, changing, and replacement to block exploitation for unauthorized access.

AC-2 Account Management partial match
prevent

Enables review, monitoring, and disabling of accounts associated with hard-coded credentials to limit unauthorized remote access opportunities.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

Hard-coded credentials enable use of default accounts for unauthorized remote access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later

Deeper analysisAI

CVE-2026-22900 is a use of hard-coded credentials vulnerability (CWE-798) affecting QuNetSwitch from QNAP. Published on 2026-03-20, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of prerequisites for exploitation.

Remote, unauthenticated attackers can exploit the vulnerability over the network by leveraging the hard-coded credentials to gain unauthorized access to affected QuNetSwitch devices. This access enables high-impact compromise of confidentiality, integrity, and availability, potentially allowing full control over the device.

QNAP's security advisory confirms the vulnerability has been fixed in QuNetSwitch version 2.0.5.0906 and later. Administrators should update to a patched version immediately to mitigate risks, with full details available at https://www.qnap.com/en/security-advisory/qsa-26-11.

Details

CWE(s)
CWE-798

Affected Products

qnap
qunetswitch
2.0.1.13077 — 2.0.5.0906

CVEs Like This One

CVE-2026-22901Same product: Qnap Qunetswitch
CVE-2026-22897Same product: Qnap Qunetswitch
CVE-2025-59388Same product class: NAS / storage appliance
CVE-2024-50394Same product class: NAS / storage appliance
CVE-2025-52425Same product class: NAS / storage appliance
CVE-2025-52863Same product class: NAS / storage appliance
CVE-2025-48725Same product class: NAS / storage appliance
CVE-2025-57713Same product class: NAS / storage appliance
CVE-2025-11837Same product class: NAS / storage appliance
CVE-2024-13086Same product class: NAS / storage appliance

References