CVE-2024-13086
Published: 07 March 2025
Summary
CVE-2024-13086 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Qnap Qts. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AU-13 (Monitoring for Information Disclosure) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2024-13086 by requiring timely remediation of the specific information exposure flaw through vendor-provided patches.
Specifically monitors for unauthorized disclosure of sensitive information, enabling detection of exploitation attempts against this remote information exposure vulnerability.
Monitors and controls communications at external boundaries to block remote unauthenticated access that could exploit the sensitive information exposure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows remote unauthenticated attackers to exploit a public-facing QNAP service for sensitive information disclosure, directly aligning with exploitation of public-facing applications.
NVD Description
An exposure of sensitive information vulnerability has been reported to affect product. If exploited, the vulnerability could allow remote attackers to compromise the security of the system. We have already fixed the vulnerability in the following version: QTS 5.2.0.2851 build…
more
20240808 and later QuTS hero h5.2.0.2851 build 20240808 and later
Deeper analysisAI
CVE-2024-13086 is an exposure of sensitive information vulnerability (CWE-200) affecting QNAP's QTS and QuTS hero operating systems. The issue enables remote attackers to access sensitive data, potentially compromising system security. It impacts versions prior to the patched releases, with the vulnerability formally published on March 7, 2025, and assigned a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows disclosure of limited sensitive information without impacting integrity or availability, thereby enabling partial compromise of the affected system's security posture.
QNAP has addressed the vulnerability through patches in QTS 5.2.0.2851 build 20240808 and later, as well as QuTS hero h5.2.0.2851 build 20240808 and later. Security practitioners should prioritize updating affected devices, with full details available in the vendor advisory at https://www.qnap.com/en/security-advisory/qsa-25-03.
Details
- CWE(s)