CVE-2024-21900
Published: 08 March 2024
Summary
CVE-2024-21900 is a medium-severity Injection (CWE-74) vulnerability in Qnap Qts. Its CVSS base score is 4.3 (Medium).
Operationally, ranked in the top 6.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
An injection vulnerability tracked as CVE-2024-21900 affects multiple versions of QNAP operating systems, including QTS, QuTS hero, and QuTScloud. The flaw, assigned CWE-74, permits command execution through network-accessible interfaces and carries a CVSS 3.1 base score of 4.3 reflecting network attack vector, low attack complexity, and low privileges required.
Authenticated users can exploit the issue to run arbitrary commands on affected devices. Successful exploitation results in limited integrity impact without affecting confidentiality or availability.
QNAP has addressed the vulnerability in QTS 5.1.3.2578 build 20231110 and later, QuTS hero h5.1.3.2578 build 20231110 and later, and QuTScloud c5.1.5.2651 and later, as detailed in security advisory QSA-24-09. The EPSS score has remained steady at 0.1117 with no material post-disclosure rise observed.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-19511
Vulnerability details
An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build…
more
20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Developer assessments and testing (including injection-focused techniques) identify improper neutralization of special elements, and the verifiable flaw remediation corrects them pre-deployment.
Identifies indicators of injection attacks (command, SQL, LDAP, etc.) via anomaly and attack monitoring.