PatchSiren cyber security CVE debrief

CVE-2026-22893 QNAP Systems Inc. CVE debrief

CVE-2026-22893 is a high-severity command injection vulnerability affecting several QNAP operating system versions. An attacker with administrator privileges on a remote system can exploit this vulnerability to execute arbitrary commands. The vulnerability has been fixed in QTS 5.2.9.3410 build 20260214 and later, QuTS hero h5.2.9.3410 build 20260214 and later, QuTS hero h5.3.4.3500 build 20260520 and later, and QuTS hero h6.0.0.3459 build 20260409 and later.

Vendor: QNAP Systems Inc.
Product: QTS
CVSS: HIGH 8.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-10
Original CVE updated: 2026-06-10
Advisory published: 2026-06-10
Advisory updated: 2026-06-10

Who should care

Administrators of QNAP systems, particularly those using versions prior to the fixed releases, should apply the necessary updates to mitigate the risk of this vulnerability.

Technical summary

The vulnerability, tracked as CVE-2026-22893, allows an attacker with administrator privileges to inject commands on affected QNAP systems. This could lead to unauthorized execution of arbitrary commands, potentially resulting in system compromise or data breaches.

Defensive priority

High

Recommended defensive actions

Apply the latest security updates: Ensure that your QNAP system is running on QTS 5.2.9.3410 build 20260214 or later, QuTS hero h5.2.9.3410 build 20260214 or later, QuTS hero h5.3.4.3500 build 20260520 or later, or QuTS
Restrict access: Limit administrator access to only those who need it, and monitor for any suspicious activity.

Evidence notes

The CVE-2026-22893 vulnerability has a CVSS score of 8.6, indicating a high severity level. The vulnerability was published on June 10, 2026, and last modified on the same day.

Official resources

CVE-2026-22893 was published on 2026-06-10T04:17:14.967Z and modified on 2026-06-10T19:43:28.857Z.