Cyber Resilience

CVE-2020-2506

HighCISA KEVActive ExploitationEUVD Exploited

Published: 03 February 2021

Published
03 February 2021
Modified
27 October 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score 0.1799 95.3th percentile
Risk Priority 45 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2020-2506 is a high-severity Improper Access Control (CWE-284) vulnerability in Qnap Helpdesk. Its CVSS base score is 7.3 (High).

Operationally, ranked in the top 4.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability is an improper access control issue, tracked as CVE-2020-2506 with CWE-284, that affects QNAP Systems Inc. Helpdesk versions prior to 3.0.3 and earlier versions of QTS. Exploitation can allow an attacker to compromise the security of the software, specifically by gaining privileges or reading sensitive information. The issue carries a CVSS 3.1 base score of 7.3 reflecting network attack vector, low complexity, no required privileges or user interaction, and partial impacts to confidentiality, integrity, and availability.

An unauthenticated remote attacker can exploit the flaw over the network to obtain elevated privileges within the Helpdesk component or access sensitive data that should otherwise be restricted. Because the vulnerability requires no authentication or user interaction, it can be triggered directly against exposed instances, enabling privilege escalation or information disclosure that further compromises the affected QNAP system.

QNAP has published security advisory QSA-20-08 detailing the issue, and the CVE is listed in CISA's Known Exploited Vulnerabilities catalog, indicating confirmed real-world exploitation and the need for prompt remediation through the vendor-supplied update to Helpdesk 3.0.3 or later.

EU & UK References

Vulnerability details

The vulnerability have been reported to affect earlier versions of QTS. If exploited, this improper access control vulnerability could allow attackers to compromise the security of the software by gaining privileges, or reading sensitive information. This issue affects: QNAP Systems…

more

Inc. Helpdesk versions prior to 3.0.3.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qnap
helpdesk
≤ 3.0.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved access policies to block the unauthenticated privilege escalation and sensitive-data reads enabled by the improper access control flaw.

prevent

Limits privileges assigned to Helpdesk processes and accounts, reducing the impact of any access-control bypass that allows elevation.

prevent

Mandates prompt installation of the vendor patch (Helpdesk 3.0.3+) that eliminates the reported improper-access-control vulnerability.

References