Cyber Resilience

CVE-2024-21900

Medium

Published: 08 March 2024

Published
08 March 2024
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.1117 93.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-21900 is a medium-severity Injection (CWE-74) vulnerability in Qnap Qts. Its CVSS base score is 4.3 (Medium).

Operationally, ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An injection vulnerability tracked as CVE-2024-21900 affects multiple versions of QNAP operating systems, including QTS, QuTS hero, and QuTScloud. The flaw, assigned CWE-74, permits command execution through network-accessible interfaces and carries a CVSS 3.1 base score of 4.3 reflecting network attack vector, low attack complexity, and low privileges required.

Authenticated users can exploit the issue to run arbitrary commands on affected devices. Successful exploitation results in limited integrity impact without affecting confidentiality or availability.

QNAP has addressed the vulnerability in QTS 5.1.3.2578 build 20231110 and later, QuTS hero h5.1.3.2578 build 20231110 and later, and QuTScloud c5.1.5.2651 and later, as detailed in security advisory QSA-24-09. The EPSS score has remained steady at 0.1117 with no material post-disclosure rise observed.

EU & UK References

Vulnerability details

An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build…

more

20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qnap
qts
5.1.3.2578 · ≤ 5.1.3.2578
qnap
quts hero
h5.1.3.2578 · ≤ h5.1.3.2578
qnap
qutscloud
≤ c5.1.5.2651

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-74

Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.

addresses: CWE-74

Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.

References