Cyber Resilience

CVE-2026-22901

MediumRCE

Published: 20 March 2026

Published
20 March 2026
Modified
25 March 2026
KEV Added
Patch
CVSS Score v4 6.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0095 56.6th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2026-22901 is a medium-severity OS Command Injection (CWE-78) vulnerability in Qnap Qunetswitch. Its CVSS base score is 6.3 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 43.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-22901 is a command injection vulnerability (CWE-78) affecting QuNetSwitch. Published on 2026-03-20T17:16:44.627, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with potential for high confidentiality, integrity, and availability impacts.

A remote attacker who gains a user account can exploit the vulnerability to execute arbitrary commands on the affected system.

QNAP has fixed the vulnerability in QuNetSwitch version 2.0.5.0906 and later. Additional details are available in the security advisory at https://www.qnap.com/en/security-advisory/qsa-26-11.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A command injection vulnerability has been reported to affect QuNetSwitch. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906…

more

and later

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Remote unauthenticated command injection (CVSS PR:N) enables exploitation of public-facing applications (T1190) and facilitates arbitrary command execution (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22897Same product: Qnap Qunetswitch
CVE-2026-22900Same product: Qnap Qunetswitch
CVE-2025-44015Same product class: NAS / storage appliance
CVE-2024-56808Same product class: NAS / storage appliance
CVE-2024-14026Same product class: NAS / storage appliance
CVE-2024-56804Same product class: NAS / storage appliance
CVE-2025-53595Same product class: NAS / storage appliance
CVE-2025-30264Same product class: NAS / storage appliance
CVE-2024-50390Same product class: NAS / storage appliance
CVE-2025-29893Same product class: NAS / storage appliance

Affected Assets

qnap
qunetswitch
2.0.1.13077 — 2.0.5.0906

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely remediation of flaws, directly addressing this command injection vulnerability by applying the vendor fix in QuNetSwitch 2.0.5.0906.

prevent

SI-10 mandates input validation to block malicious command injection payloads from being processed by the system.

prevent

AC-6 enforces least privilege on user accounts, limiting the scope and impact of arbitrary commands executed via the vulnerability.

References