Legacy VioStor NVR
CVE-2023-47565

8.8HIGH

Key Information:

Vendor: QNAP
Status: ViOStor Nvr
Vendor: CVE Published:; 8 December 2023

Badges

👾 Exploit Exists🟣 EPSS 83%🦅 CISA Reported

What is CVE-2023-47565?

An OS command injection vulnerability has been identified in legacy QNAP VioStor NVR models utilizing QVR Firmware 4.x. This flaw allows authenticated users to execute arbitrary commands through network interfaces, potentially compromising system integrity. It is essential for users to upgrade to QVR Firmware 5.0.0 or later to mitigate the risk associated with this vulnerability.

CISA has reported CVE-2023-47565

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2023-47565 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

VioStor NVR QVR Firmware 4.x < 5.0.0

References

https://www.qnap.com/en/security-advisory/qsa-23-48

EPSS Score

83% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Dec 21, 2023
🦅
CISA Reported
Dec 21, 2023
Vulnerability published
Dec 8, 2023
Vulnerability Reserved
Nov 6, 2023

Credit

Chad Seaman and Larry Cashdollar of Akamai Technologies reported this vulnerability to CISA

JSON