CVE-2026-22900 | QNAP QuNetSwitch 2.0.4.0415 hard-coded credentials (qsa-26-11 / EUVD-2026-13720)

VDB-352098 · CVE-2026-22900 · QSA-26-11 QNAP QUNETSWITCH 2.0.4.0415 HARD-CODED CREDENTIALS HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 7.0 $0-$5k 2.17+ Summaryinfo A vulnerability described as critical has been identified in QNAP QuNetSwitch. Affected is an unknown function. The manipulation results in hard-coded credentials. This vulnerability was named CVE-2026-22900. The attack may be performed from remote. There is no available exploit. Upgrading the affected component is recommended. Detailsinfo A vulnerability classified as critical has been found in QNAP QuNetSwitch. Affected is an unknown code block. The manipulation with an unknown input leads to a hard-coded credentials vulnerability. CWE is classifying the issue as CWE-798. The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes: A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later The weakness was presented by 產品安全漏洞獵捕計劃 as qsa-26-11. The advisory is available at qnap.com. This vulnerability is traded as CVE-2026-22900 since 01/13/2026. The exploitability is told to be easy. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1110.001 by the MITRE ATT&CK project. Upgrading to version 2.0.5.0906 eliminates this vulnerability. The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2026-13720). Productinfo Vendor QNAP Name QuNetSwitch Version 2.0.4.0415 License commercial Website Vendor: https://www.qnap.com/ CPE 2.3info 🔒 CPE 2.2info 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CNA CVSS-B Score: 🔒 CNA CVSS-BT Score: 🔒 CNA Vector: 🔒 CVSSv3info VulDB Meta Base Score: 7.3 VulDB Meta Temp Score: 7.0 VulDB Base Score: 7.3 VulDB Temp Score: 7.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Hard-coded credentials CWE: CWE-798 / CWE-259 / CWE-255 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: QuNetSwitch 2.0.5.0906 Timelineinfo 01/13/2026 CVE reserved 03/20/2026 +66 days Advisory disclosed 03/20/2026 +0 days VulDB entry created 03/20/2026 +0 days VulDB entry last update Sourcesinfo Vendor: qnap.com Advisory: qsa-26-11 Researcher: 產品安全漏洞獵捕計劃 Status: Confirmed CVE: CVE-2026-22900 (🔒) GCVE (CVE): GCVE-0-2026-22900 GCVE (VulDB): GCVE-100-352098 EUVD: 🔒 Entryinfo Created: 03/20/2026 17:56 Updated: 03/20/2026 20:05 Changes: 03/20/2026 17:56 (68), 03/20/2026 17:57 (2), 03/20/2026 20:05 (1) Complete: 🔍 Cache ID: 99:772:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸