CVE-2023-23369 | QTS, Multimedia Console, and Media Streaming add-on

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: Multimedia Console 2.1.2 ( 2023/05/04 ) and later Multimedia Console 1.4.8 ( 2023/05/05 ) and later QTS 5.1.0.2399 build 20230515 and later QTS 4.3.6.2441 build 20230621 and later QTS 4.3.4.2451 build 20230621 and later QTS 4.3.3.2420 build 20230621 and later QTS 4.2.6 build 20230621 and later Media Streaming add-on 500.1.1.2 ( 2023/06/12 ) and later Media Streaming add-on 500.0.0.11 ( 2023/06/16 ) and later

Published: 2023-11-03 Last update: 2026-06-17 Assigner: [email protected] Source: [email protected]

Conclusion & alert: CVE-2023-23369 is rated High Risk (72.2/100): CVSS Critical severity, with high exploitation likelihood (EPSS 14.41%, 96th percentile). Core evidence: EPSS ranks this CVE among the most likely to be exploited in the near term. EPSS rose +2.59% over the last day, indicating growing attacker interest. Mandatory action: High exploitation likelihood—assess exposure and prioritize remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2023-23369

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 11.81% 14.41% +2.59%
2 2025-11-24 14.77% 11.81% -2.95%
3 2025-11-21 14.77%

Full EPSS history (13 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2023-23369

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
9.0 3.1 CRITICAL
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
2.2 6.0 [email protected]
9.8 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
3.9 5.9 [email protected]

Weakness enumeration for CVE-2023-23369

Affected software / configurations for CVE-2023-23369

Vendor Product Version Raw CPE
qnap qts 5.1.0.2348 cpe:2.3:o:qnap:qts:5.1.0.2348:build_20230325:*:*:*:*:*:*
qnap qts 4.3.6.0895 cpe:2.3:o:qnap:qts:4.3.6.0895:build_20190328:*:*:*:*:*:*
qnap qts 4.3.6.0907 cpe:2.3:o:qnap:qts:4.3.6.0907:build_20190409:*:*:*:*:*:*
qnap qts 4.3.6.0923 cpe:2.3:o:qnap:qts:4.3.6.0923:build_20190425:*:*:*:*:*:*
qnap qts 4.3.6.0944 cpe:2.3:o:qnap:qts:4.3.6.0944:build_20190516:*:*:*:*:*:*
qnap qts 4.3.6.0959 cpe:2.3:o:qnap:qts:4.3.6.0959:build_20190531:*:*:*:*:*:*
qnap qts 4.3.6.0979 cpe:2.3:o:qnap:qts:4.3.6.0979:build_20190620:*:*:*:*:*:*
qnap qts 4.3.6.0993 cpe:2.3:o:qnap:qts:4.3.6.0993:build_20190704:*:*:*:*:*:*
qnap qts 4.3.6.1013 cpe:2.3:o:qnap:qts:4.3.6.1013:build_20190724:*:*:*:*:*:*
qnap qts 4.3.6.1033 cpe:2.3:o:qnap:qts:4.3.6.1033:build_20190813:*:*:*:*:*:*
qnap qts 4.3.6.1070 cpe:2.3:o:qnap:qts:4.3.6.1070:build_20190919:*:*:*:*:*:*
qnap qts 4.3.6.1154 cpe:2.3:o:qnap:qts:4.3.6.1154:build_20191212:*:*:*:*:*:*
qnap qts 4.3.6.1218 cpe:2.3:o:qnap:qts:4.3.6.1218:build_20200214:*:*:*:*:*:*
qnap qts 4.3.6.1263 cpe:2.3:o:qnap:qts:4.3.6.1263:build_20200330:*:*:*:*:*:*
qnap qts 4.3.6.1286 cpe:2.3:o:qnap:qts:4.3.6.1286:build_20200422:*:*:*:*:*:*
qnap qts 4.3.6.1333 cpe:2.3:o:qnap:qts:4.3.6.1333:build_20200608:*:*:*:*:*:*
qnap qts 4.3.6.1411 cpe:2.3:o:qnap:qts:4.3.6.1411:build_20200825:*:*:*:*:*:*
qnap qts 4.3.6.1446 cpe:2.3:o:qnap:qts:4.3.6.1446:build_20200929:*:*:*:*:*:*
qnap qts 4.3.6.1620 cpe:2.3:o:qnap:qts:4.3.6.1620:build_20210322:*:*:*:*:*:*
qnap qts 4.3.6.1663 cpe:2.3:o:qnap:qts:4.3.6.1663:build_20210504:*:*:*:*:*:*
qnap qts 4.3.6.1711 cpe:2.3:o:qnap:qts:4.3.6.1711:build_20210621:*:*:*:*:*:*
qnap qts 4.3.6.1750 cpe:2.3:o:qnap:qts:4.3.6.1750:build_20210730:*:*:*:*:*:*
qnap qts 4.3.6.1831 cpe:2.3:o:qnap:qts:4.3.6.1831:build_20211019:*:*:*:*:*:*
qnap qts 4.3.6.1907 cpe:2.3:o:qnap:qts:4.3.6.1907:build_20220103:*:*:*:*:*:*
qnap qts 4.3.6.1965 cpe:2.3:o:qnap:qts:4.3.6.1965:build_20220302:*:*:*:*:*:*
qnap qts 4.3.6.2050 cpe:2.3:o:qnap:qts:4.3.6.2050:build_20220526:*:*:*:*:*:*
qnap qts 4.3.6.2232 cpe:2.3:o:qnap:qts:4.3.6.2232:build_20221124:*:*:*:*:*:*
qnap qts 4.3.4.0899 cpe:2.3:o:qnap:qts:4.3.4.0899:build_20190322:*:*:*:*:*:*
qnap qts 4.3.4.1029 cpe:2.3:o:qnap:qts:4.3.4.1029:build_20190730:*:*:*:*:*:*
qnap qts 4.3.4.1082 cpe:2.3:o:qnap:qts:4.3.4.1082:build_20190921:*:*:*:*:*:*
qnap qts 4.3.4.1190 cpe:2.3:o:qnap:qts:4.3.4.1190:build_20200107:*:*:*:*:*:*
qnap qts 4.3.4.1282 cpe:2.3:o:qnap:qts:4.3.4.1282:build_20200408:*:*:*:*:*:*
qnap qts 4.3.4.1368 cpe:2.3:o:qnap:qts:4.3.4.1368:build_20200703:*:*:*:*:*:*
qnap qts 4.3.4.1417 cpe:2.3:o:qnap:qts:4.3.4.1417:build_20200821:*:*:*:*:*:*
qnap qts 4.3.4.1463 cpe:2.3:o:qnap:qts:4.3.4.1463:build_20201006:*:*:*:*:*:*
qnap qts 4.3.4.1632 cpe:2.3:o:qnap:qts:4.3.4.1632:build_20210324:*:*:*:*:*:*
qnap qts 4.3.4.1652 cpe:2.3:o:qnap:qts:4.3.4.1652:build_20210413:*:*:*:*:*:*
qnap qts 4.3.4.1976 cpe:2.3:o:qnap:qts:4.3.4.1976:build_20220303:*:*:*:*:*:*
qnap qts 4.3.4.2107 cpe:2.3:o:qnap:qts:4.3.4.2107:build_20220712:*:*:*:*:*:*
qnap qts 4.3.4.2242 cpe:2.3:o:qnap:qts:4.3.4.2242:build_20221124:*:*:*:*:*:*
qnap qts 4.3.3.0174 cpe:2.3:o:qnap:qts:4.3.3.0174:build_20170503:*:*:*:*:*:*
qnap qts 4.3.3.0868 cpe:2.3:o:qnap:qts:4.3.3.0868:build_20190322:*:*:*:*:*:*
qnap qts 4.3.3.0998 cpe:2.3:o:qnap:qts:4.3.3.0998:build_20190730:*:*:*:*:*:*
qnap qts 4.3.3.1051 cpe:2.3:o:qnap:qts:4.3.3.1051:build_20190921:*:*:*:*:*:*
qnap qts 4.3.3.1098 cpe:2.3:o:qnap:qts:4.3.3.1098:build_20191107:*:*:*:*:*:*
qnap qts 4.3.3.1161 cpe:2.3:o:qnap:qts:4.3.3.1161:build_20200109:*:*:*:*:*:*
qnap qts 4.3.3.1252 cpe:2.3:o:qnap:qts:4.3.3.1252:build_20200409:*:*:*:*:*:*
qnap qts 4.3.3.1315 cpe:2.3:o:qnap:qts:4.3.3.1315:build_20200611:*:*:*:*:*:*
qnap qts 4.3.3.1386 cpe:2.3:o:qnap:qts:4.3.3.1386:build_20200821:*:*:*:*:*:*
qnap qts 4.3.3.1432 cpe:2.3:o:qnap:qts:4.3.3.1432:build_20201006:*:*:*:*:*:*
qnap qts 4.3.3.1624 cpe:2.3:o:qnap:qts:4.3.3.1624:build_20210416:*:*:*:*:*:*
qnap qts 4.3.3.1677 cpe:2.3:o:qnap:qts:4.3.3.1677:build_20210608:*:*:*:*:*:*
qnap qts 4.3.3.1693 cpe:2.3:o:qnap:qts:4.3.3.1693:build_20210624:*:*:*:*:*:*
qnap qts 4.3.3.1799 cpe:2.3:o:qnap:qts:4.3.3.1799:build_20211008:*:*:*:*:*:*
qnap qts 4.3.3.1864 cpe:2.3:o:qnap:qts:4.3.3.1864:build_20211212:*:*:*:*:*:*
qnap qts 4.3.3.1945 cpe:2.3:o:qnap:qts:4.3.3.1945:build_20220303:*:*:*:*:*:*
qnap qts 4.3.3.2057 cpe:2.3:o:qnap:qts:4.3.3.2057:build_20220623:*:*:*:*:*:*
qnap qts 4.3.3.2211 cpe:2.3:o:qnap:qts:4.3.3.2211:build_20221124:*:*:*:*:*:*
qnap qts 4.2.6 cpe:2.3:o:qnap:qts:4.2.6:build_20170517:*:*:*:*:*:*
qnap qts 4.2.6 cpe:2.3:o:qnap:qts:4.2.6:build_20190322:*:*:*:*:*:*
qnap qts 4.2.6 cpe:2.3:o:qnap:qts:4.2.6:build_20190730:*:*:*:*:*:*
qnap qts 4.2.6 cpe:2.3:o:qnap:qts:4.2.6:build_20190921:*:*:*:*:*:*
qnap qts 4.2.6 cpe:2.3:o:qnap:qts:4.2.6:build_20191107:*:*:*:*:*:*
qnap qts 4.2.6 cpe:2.3:o:qnap:qts:4.2.6:build_20200109:*:*:*:*:*:*
qnap qts 4.2.6 cpe:2.3:o:qnap:qts:4.2.6:build_20200421:*:*:*:*:*:*
qnap qts 4.2.6 cpe:2.3:o:qnap:qts:4.2.6:build_20200611:*:*:*:*:*:*
qnap qts 4.2.6 cpe:2.3:o:qnap:qts:4.2.6:build_20200821:*:*:*:*:*:*
qnap qts 4.2.6 cpe:2.3:o:qnap:qts:4.2.6:build_20210327:*:*:*:*:*:*
qnap qts 4.2.6 cpe:2.3:o:qnap:qts:4.2.6:build_20211215:*:*:*:*:*:*
qnap qts 4.2.6 cpe:2.3:o:qnap:qts:4.2.6:build_20220304:*:*:*:*:*:*
qnap qts 4.2.6 cpe:2.3:o:qnap:qts:4.2.6:build_20220623:*:*:*:*:*:*
qnap qts 4.2.6 cpe:2.3:o:qnap:qts:4.2.6:build_20221028:*:*:*:*:*:*
qnap multimedia_console 2.1.0 cpe:2.3:a:qnap:multimedia_console:2.1.0:*:*:*:*:*:*:*
qnap multimedia_console 2.1.1 cpe:2.3:a:qnap:multimedia_console:2.1.1:*:*:*:*:*:*:*
qnap multimedia_console 1.4.3 cpe:2.3:a:qnap:multimedia_console:1.4.3:*:*:*:*:*:*:*
qnap multimedia_console 1.4.4 cpe:2.3:a:qnap:multimedia_console:1.4.4:*:*:*:*:*:*:*
qnap multimedia_console 1.4.5 cpe:2.3:a:qnap:multimedia_console:1.4.5:*:*:*:*:*:*:*
qnap multimedia_console 1.4.6 cpe:2.3:a:qnap:multimedia_console:1.4.6:*:*:*:*:*:*:*
qnap multimedia_console 1.4.7 cpe:2.3:a:qnap:multimedia_console:1.4.7:*:*:*:*:*:*:*
qnap media_streaming_add-on 500.1.1.0 cpe:2.3:a:qnap:media_streaming_add-on:500.1.1.0:*:*:*:*:*:*:*

References for CVE-2023-23369

cvelogic Threat Intelligence