How to Fix CVE-2018-19949: Improper Input Validation in QNAP Network Attached Storage (NAS)
By Sai Kiran Pandrala
| Severity | CVSS 9.8 (Critical) |
|---|---|
| Actively exploited? | Yes, listed in CISA KEV (added 2022-05-24, federal due date 2022-06-14). Known ransomware use. |
| Affected | QTS: before 4.4.2.1231; QTS: before 4.4.1.1201; QTS: before 4.3.6.1218; QTS: before 4.3.4.1190; QTS: before 4.3.3.1161, before 4.2.6 |
| Fixed in | QTS: 4.4.2.1231 and later; QTS: 4.4.1.1201 and later; QTS: 4.3.6.1218 and later; QTS: 4.3.4.1190 and later; QTS: 4.3.3.1161 and later, 4.2.6 and later |
| Type (CWE) | CWE-20: Improper Input Validation |
Actively exploited. Listed in the CISA Known Exploited Vulnerabilities catalog since 2022-05-24; federal civilian agencies must remediate by 2022-06-14. Patch on an emergency cycle if the system is internet-exposed.
What is CVE-2018-19949?
If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. QNAP has already fixed the issue in the following QTS versions. QTS 4.4.2.1231 on build 20200302; QTS 4.4.1.1201 on build 20200130; QTS 4.3.6.1218 on build 20200214; QTS 4.3.4.1190 on build 20200107; QTS 4.3.3.1161 on build 20200109; QTS 4.2.6 on build 20200109.
A successful exploit gives the remote attacker the impact described in the vendor advisory. The fix is to install the patched build of QNAP Network Attached Storage (NAS) listed in the table above, then confirm the running version after the upgrade.
Am I affected?
Check your installed version of QNAP Network Attached Storage (NAS) against the Affected row above. If the build sits inside any of those ranges, treat the host as vulnerable until patched.
Read the version the same way you would for any maintenance task: the management console About page, the CLI version command, or the package manager record for the installed binary. The vendor advisory linked in the references is the authoritative source for the affected-build matrix.
How to fix CVE-2018-19949
The remediation is the patched build of QNAP Network Attached Storage (NAS). The blocks below give you runnable commands for the platforms that ship this product, plus a full PowerShell and Bash script you can drop into your patch automation.
QNAP QTS / QuTS hero (web UI, recommended)
Control Panel -> System -> Firmware Update -> Live Update -> Check for Update -> Update System
# Required build: 4.4.2.1231 or later
QNAP CLI (SSH as admin)
# Confirm running firmware
getcfg System Version -f /etc/config/uLinux.conf
getcfg System "Build Number" -f /etc/config/uLinux.conf
# Pull and install the QNAP-signed firmware file from https://www.qnap.com/download
wget -O /tmp/fw.img "<URL-from-qnap-download-center>"
# Verify the file size / signature, then apply
/sbin/ledfwupdate -f /tmp/fw.img -m <model>
reboot
Container Station (mitigation while you stage the patch)
# Stop the affected service so the vulnerable endpoint is not reachable
/etc/init.d/Qmultimedia.sh stop
Full PowerShell remediation script (detect, back up, patch, verify, log)
<#
.SYNOPSIS Remediates CVE-2018-19949 on Windows hosts.
.DESCRIPTION
Detects current version of Network Attached Storage (NAS), takes a config backup, applies the patched build
(4.4.2.1231), confirms the upgrade, and writes a transcript to %ProgramData%\Patching.
#>
$ErrorActionPreference = 'Stop'
$logDir = "$env:ProgramData\Patching"
New-Item -ItemType Directory -Force -Path $logDir | Out-Null
Start-Transcript -Path "$logDir\CVE-2018-19949-$(Get-Date -Format yyyyMMdd-HHmmss).log"
try {
Write-Host '[1/5] Detecting current version'
$svc = Get-Service | Where-Object { $_.DisplayName -match 'Network' } | Select-Object -First 1
if ($svc) { Write-Host " Service: $($svc.Name) state=$($svc.Status)" }
Write-Host '[2/5] Backup config directory if present'
$cfg = "$env:ProgramFiles\Network"
if (Test-Path $cfg) {
$bak = "$logDir\CVE-2018-19949-backup-$(Get-Date -Format yyyyMMdd-HHmmss).zip"
Compress-Archive -Path $cfg -DestinationPath $bak -Force
Write-Host " Backup -> $bak"
}
Write-Host '[3/5] Apply patch'
try {
winget upgrade --id <vendor.Network> --accept-source-agreements --accept-package-agreements --silent
} catch {
Write-Warning "winget upgrade failed: $_ -- falling back to MSU/MSI installer"
Start-Process msiexec.exe -ArgumentList '/i "C:\Temp\patched.msi" /qn /norestart' -Wait
}
Write-Host '[4/5] Verify version'
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 5
# Adapt the next line to your product's version file:
Get-ChildItem "$env:ProgramFiles\Network" -Recurse -Filter *.exe -ErrorAction SilentlyContinue |
Select-Object -First 1 | ForEach-Object { $_.VersionInfo.FileVersion }
Write-Host '[5/5] Restart service if needed'
if ($svc) { Restart-Service $svc.Name }
Write-Host "CVE-2018-19949 remediation complete"
} catch {
Write-Error "CVE-2018-19949 remediation FAILED: $_"
exit 1
} finally {
Stop-Transcript
}
Full Bash remediation script (detect, back up, patch, verify, log)
#!/usr/bin/env bash
# remediate-cve-2018-19949.sh — detect, back up, patch, verify.
set -euo pipefail
LOG="/var/log/patching"
mkdir -p "$LOG"
STAMP="$(date +%Y%m%d-%H%M%S)"
LOGFILE="$LOG/CVE-2018-19949-$STAMP.log"
exec > >(tee -a "$LOGFILE") 2>&1
echo "[1/5] Detect installed Network Attached Storage (NAS)"
if command -v dpkg >/dev/null 2>&1; then
dpkg -l | grep -i "network" || true
elif command -v rpm >/dev/null 2>&1; then
rpm -qa | grep -i "network" || true
fi
echo "[2/5] Backup config"
for d in /etc/network /opt/network /usr/local/network; do
if [[ -d "$d" ]]; then
tar czf "$LOG/CVE-2018-19949-$(basename $d)-$STAMP.tgz" "$d"
echo " Backup -> $LOG/CVE-2018-19949-$(basename $d)-$STAMP.tgz"
fi
done
echo "[3/5] Apply patch (target: 4.4.2.1231)"
if command -v apt-get >/dev/null 2>&1; then
sudo apt-get update
sudo apt-get install --only-upgrade "network" -y
elif command -v dnf >/dev/null 2>&1; then
sudo dnf upgrade "network" --security -y
elif command -v yum >/dev/null 2>&1; then
sudo yum update "network" --security -y
elif command -v zypper >/dev/null 2>&1; then
sudo zypper patch --category security
fi
echo "[4/5] Verify"
if systemctl status "network" >/dev/null 2>&1; then
sudo systemctl restart "network"
systemctl is-active "network"
fi
command -v "network" >/dev/null 2>&1 && "network" --version || true
echo "[5/5] CVE-2018-19949 remediation script complete. Log: $LOGFILE"
If you can't patch immediately
Disable the vulnerable service until patched (Linux)
# Vendor advisory: https://www.qnap.com/zh-tw/security-advisory/qsa-20-01
sudo systemctl disable --now <vulnerable-service>
# Confirm no listener remains on the affected port
sudo ss -lntp | grep -E ':(443|22|8080|3306)' || echo 'No listener on common mgmt ports'
How to verify the fix worked
- Re-run the version command from the fix section. The output must match the patched build listed in the vendor advisory for your branch.
- Re-run an authenticated vulnerability scan (Nessus, Qualys, OpenVAS, Defender Vulnerability Management) targeting the patched host. CVE-2018-19949 must no longer be reported.
- Pull the latest service logs and search for the exploitation signatures in the vendor advisory. Treat any match before the patch timestamp as a possible compromise: isolate the host, rotate credentials the affected process could see, and run a full IR triage.
- Confirm any compensating control you put in place (firewall rules, sysctl, registry edits) is either intentionally left in place or rolled back, with the change documented in your CMDB.
Frequently asked questions
Related fixes
Other vulnerabilities in the same area that are worth patching alongside this one:
- How to Fix CVE-2026-22895: Critical Vulnerability in QuFTP Service — Critical Vulnerability in QuFTP Service
- How to Fix CVE-2026-22894: Path Traversal in File Station 5 — Path Traversal in File Station 5
- How to Fix CVE-2019-7193: Improper Input Validation in Qnap Nas Devices , Improper Input Validation in Qnap Nas Devices
- How to Fix CVE-2020-2506: Improper Access Control in QNAP Systems Helpdesk , Improper Access Control in QNAP Systems Helpdesk
- How to Fix CVE-2026-22898: Authentication Bypass in QVR Pro , Authentication Bypass in QVR Pro
Is CVE-2018-19949 being exploited right now?
Yes. CVE-2018-19949 is in the CISA Known Exploited Vulnerabilities catalog, added 2022-05-24. CISA only lists CVEs with confirmed active exploitation.
What is the CVSS score for CVE-2018-19949?
CVSS 9.8 (Critical). Use it together with your exposure picture (internet-facing first, then DMZ, then internal) when you set the patch order.
Can I run the fix without downtime?
It depends on the platform. Network appliances often support hitless HA upgrades (upgrade the standby, fail over, upgrade the former primary). Application servers usually need a service restart. Clustered services (Elasticsearch, Tomcat behind a load balancer, MySQL replicas) tolerate a rolling upgrade. Schedule a maintenance window if HA is not in place.
What if my version is not in the affected list?
Re-check the build string in the vendor advisory linked below. CVE records reflect the affected-products list at publication. Variants discovered later are added to the same advisory or a follow-up CVE.
References
- Official vendor advisory: https://www.qnap.com/zh-tw/security-advisory/qsa-20-01
- NVD entry: https://nvd.nist.gov/vuln/detail/CVE-2018-19949
- CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-19949
*This guide was assembled from the official vendor advisory, NVD record, and CISA KEV listing on 2026-05-25. Always confirm against the vendor advisory before applying changes in production.*