Vulnerability detail

Enriched intelligence for a single CVE

PRO Back to KEVs

9.8

CVSS
Critical

CVE-2020-2507

PUBLISHED

command injection vulnerability in Helpdesk

Exploited in the wild Remote Low complexity No user interaction

Vendor: QNAP Systems Inc.
Product: Helpdesk
Published: Feb 03, 2021
EPSS: —

Automate this intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

The vulnerability have been reported to affect earlier versions of QTS. If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. This issue affects: QNAP Systems Inc. Helpdesk versions prior to 3.0.3.

Weaknesses (CWE)

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CVSS scores

CVSS v3.1 9.8 Critical

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitation status

Exploited in the wild

Recorded 2025-08-16 00:00:00 UTC · The Shadowserver (via CIRCL)

References

https://www.qnap.com/zh-tw/security-advisory/qsa-20-08

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
The Shadowserver (via CIRCL) First	2025-08-16 00:00 UTC

Timeline

CVE ID Reserved

2019-12-09 00:00 UTC
CVE Published to Public

2021-02-03 15:51 UTC
Added to KEVIntel

2025-08-16 00:00 UTC