Author: Marius Creutznacher
| Risk Category: High | Document ID: QSYS-04-29-9002 |
| Document Version: 1.0 | |
| Document Status: Final |
Description:
Q-SYS Core Processors contain a remote command injection vulnerability. The vulnerability could allow an unauthenticated remote attacker to execute arbitrary commands with root privileges.
| CVE ID: | CVSS Vectors: | Score: |
| CVE-2026-41528 | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/ SI:N/SA:H/AU:Y/R:U |
9.9 |
Impacted Product Name
Q-SYS Core Processors
Impacted Versions
Q-SYS Designer Version lower than 10.2
Impacts on Installed System
An attacker can gain persistent root-level access to Q-SYS Core Processors.
How to Diagnose Installed System
- Check Firmware version using Core Manager or Designer Configurator. If the firmware version is 10.2 or lower, your system is vulnerable to the issues listed above.
- Check Core Manager or Designer Configurator if your system is running without Access Control. If Access Control is Disabled, your system is vulnerable to the issues listed above.
Note: If Access Control is Enabled, authentication is required to exploit the vulnerability.
Mitigation
- Update to Q-SYS Designer version 10.2.1
- Removes vulnerable function.
- Enable Access Control
- If Access Control is Enabled, authentication is required to exploit the vulnerability.
Refer to the Q-SYS Secure Deployment Guide available at the following location for more information on securing a Q-SYS installation: Secure Deployment Guide
Updated Version
Upgrade to Q-SYS Designer Version 10.2.1 to remediate.
Issue Fixed Date
March 31, 2026
Attribution
The issues were identified by Andrew Furlani, a security researcher who focuses on AV systems and solutions.
Acuity knows of no exploitation of these vulnerabilities.
LEGAL DISCLAIMER:
THIS CONTENT IS PROVIDED ON AN "AS IS" BASIS FOR INFORMATIONAL PURPOSES ONLY AND IS PROVIDED WITHOUT ANY WARRANTY OF ANY KIND. THE CONTENT IS INTENDED FOR USERS OF ACUITY PRODUCTS WHO POSSESS THE PROFESSIONAL SKILLS AND JUDGMENT NECESSARY TO INTERPRET THE INFORMATION AND DETERMINE THE APPROPRIATE STEPS TO TAKE. USE OF THE INFORMATION IS AT THE USER'S OWN RISK. THE AUTHOR RESERVES THE RIGHT TO UPDATE OR DELETE THIS CONTENT AT ANY TIME.
