CVE-2026-22901

CriticalRCE

Published: 20 March 2026

Published

20 March 2026

Modified

25 March 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0042 61.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22901 is a critical-severity OS Command Injection (CWE-78) vulnerability in Qnap Qunetswitch. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely remediation of flaws, directly addressing this command injection vulnerability by applying the vendor fix in QuNetSwitch 2.0.5.0906.

SI-10 Information Input Validation good match

prevent

SI-10 mandates input validation to block malicious command injection payloads from being processed by the system.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege on user accounts, limiting the scope and impact of arbitrary commands executed via the vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

Why these techniques?

Remote unauthenticated command injection (CVSS PR:N) enables exploitation of public-facing applications (T1190) and facilitates arbitrary command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A command injection vulnerability has been reported to affect QuNetSwitch. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906…

and later

Deeper analysisAI

CVE-2026-22901 is a command injection vulnerability (CWE-78) affecting QuNetSwitch. Published on 2026-03-20T17:16:44.627, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with potential for high confidentiality, integrity, and availability impacts.

A remote attacker who gains a user account can exploit the vulnerability to execute arbitrary commands on the affected system.

QNAP has fixed the vulnerability in QuNetSwitch version 2.0.5.0906 and later. Additional details are available in the security advisory at https://www.qnap.com/en/security-advisory/qsa-26-11.

Details

CWE(s): CWE-78

Affected Products

qnap

qunetswitch

2.0.1.13077 — 2.0.5.0906

CVEs Like This One

CVE-2026-22897Same product: Qnap Qunetswitch

CVE-2026-22900Same product: Qnap Qunetswitch

CVE-2025-44015Same product class: NAS / storage appliance

CVE-2025-53595Same product class: NAS / storage appliance

CVE-2024-56808Same product class: NAS / storage appliance

CVE-2024-14026Same product class: NAS / storage appliance

CVE-2024-56804Same product class: NAS / storage appliance

CVE-2024-50390Same product class: NAS / storage appliance

CVE-2025-30264Same product class: NAS / storage appliance

CVE-2025-29893Same product class: NAS / storage appliance

References

https://www.qnap.com/en/security-advisory/qsa-26-11
Vendor Advisory · security@qnapsecurity.com.tw