CVE-2023-47565

What is QNAP VioStor NVR?

QNAP VioStor is a network video recorder (NVR) product line designed for IP camera surveillance systems — used in commercial, industrial, and enterprise physical security deployments to record and manage video feeds from IP cameras. VioStor NVRs run a Linux-based firmware with a web interface for camera management and playback, accessible on the local network. Like other NVR and NAS devices, VioStor appliances are always-on, run embedded Linux, and are increasingly targeted by Mirai botnet variants that systematically exploit command injection vulnerabilities to recruit devices into DDoS infrastructure.

Overview

CVE-2023-47565 is an OS command injection vulnerability in QNAP VioStor NVR appliances that allows a low-privilege authenticated attacker on the adjacent network to execute OS commands. QNAP published patches in December 2023, but the vulnerability was already being exploited as a zero-day before disclosure: Akamai's threat intelligence team discovered CVE-2023-47565 being exploited by the InfectedSlurs Mirai botnet variant in November 2023 — before QNAP had a patch. CISA added it to KEV on December 21, 2023, alongside CVE-2023-49897 (a similar FXC router vulnerability targeted by the same botnet campaign).

Affected Versions

QNAP advises upgrading to the latest QVR firmware version. Older VioStor models that no longer receive firmware updates should be isolated or replaced.

Technical Details

CWE-78 (Improper Neutralization of Special Elements used in an OS Command). QNAP VioStor NVR's web management interface includes functionality accessible to authenticated users (including low-privilege accounts) that processes user-controlled input without sufficient sanitization. By injecting OS command metacharacters into vulnerable parameter fields, a low-privilege authenticated user on the adjacent network can execute arbitrary OS commands on the NVR's underlying Linux system.

The Adjacent Network attack vector (AV:A) reflects that the attack requires access to the same network segment as the NVR — unlike fully internet-facing vulnerabilities. However, NVRs are often on segments accessible to employees, guests, or other devices, making the adjacency requirement less restrictive than it might appear. In environments where NVRs are connected to the same LAN as workstations or servers, a compromised workstation can trivially exploit adjacent NVR vulnerabilities.

Discovery

Discovered by Akamai's Security Intelligence and Response Team (SIRT) while investigating InfectedSlurs botnet activity in November 2023. Akamai observed the botnet exploiting both CVE-2023-47565 and CVE-2023-49897 as zero-days to compromise NVR and router devices. Akamai disclosed to QNAP and FXC, triggering coordinated patch releases in December 2023.

Exploitation Context

The InfectedSlurs campaign — named for the offensive language found in bot configuration strings — was a Mirai variant targeting NVR and wireless router devices using zero-day exploits. Akamai identified InfectedSlurs exploiting both QNAP VioStor NVRs and FXC routers before vendors had patches available. Compromised devices were recruited into a DDoS botnet, used for volumetric attack capacity.

The simultaneous KEV addition of CVE-2023-47565 and CVE-2023-49897 reflects CISA's awareness that both devices were targeted in the same coordinated botnet campaign.

Remediation

1. Update VioStor NVR firmware to the version specified in QNAP Security Advisory QSA-23-48 via the QVR firmware update mechanism.
2. Change all default and weak credentials on the VioStor NVR — the PR:L attack requires a valid low-privilege account, making strong password hygiene essential.
3. Restrict VioStor NVR network access to the minimum necessary — place NVR devices on an isolated surveillance VLAN with access controls preventing unauthorized devices from reaching the management interface.
4. If the device is end-of-life and cannot receive firmware updates: isolate it from general network access or replace with a supported device.
5. Review NVR logs and active connections for evidence of botnet agent installation — unexpected outbound connections or unusual CPU utilization indicate potential compromise.