IRONSMITHINTEL
MEDIUMCVSS6.1
|
Actively Exploited
|CISA KEV|CVE-2018-19953|Auth: none — unauthenticated|Reboot: required|Manual only

QNAP NAS File Station Cross-Site Scripting Vulnerability

A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code.

Published Oct 28, 2020 · Updated May 16, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

A remote attacker, without authentication, can achieve partial data exposure, partial data tampering. CISA has confirmed use of this vulnerability in known ransomware campaigns — treat as high priority for remediation. Federal agencies are required to remediate by 2022-06-14 under CISA BOD 22-01.

How the attack worksNo clicks needed

This is a Cross-Site Scripting (XSS) (CWE-79) vulnerability in QNAP Network Attached Storage (NAS). If exploited, this cross-site scripting vulnerability could allow remote attackers to inject malicious code. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109. Exploitation requires remote network access, low attack complexity, no authentication required, and user interaction required.

📧

Phishing link

🖼

Malicious file

🔓

Server compromised

Am I affected?Quick check

Probably yes if any of these apply:

IT Security
Running qts: v < 4.2.6, 4.3.1.0013 ≤ v < 4.3.3.1161, 4.3.4 ≤ v < 4.3.4.1190, 4.3.6 ≤ v < 4.3.6.1218, 4.4.0 ≤ v < 4.4.1.1201, 4.4.2 ≤ v < 4.4.2.1231, 4.2.6
Real-world incidentsWhat we've seen

CISA confirms this CVE has been used in known ransomware campaigns. Added to the KEV catalog on 2022-05-24; federal agencies required to remediate by 2022-06-14.

How to patch

Manual remediation steps

Apply the Vendor Patch

This vulnerability is in the CISA Known Exploited Vulnerabilities catalog — apply the vendor's security update as soon as possible.

CISA required action: Apply updates per vendor instructions.

References

    1
    Vendor advisory: https://www.qnap.com/zh-tw/security-advisory/qsa-20-01
    1
    NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2018-19953
    1
    CISA KEV: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-19953
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2018-19953NVDVendor Advisory