Cyber Resilience

CVE-2024-50394

High

Published: 07 March 2025

Published
07 March 2025
Modified
22 January 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0047 65.0th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50394 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Qnap Helpdesk. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked in the top 35.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-50394 is an improper certificate validation vulnerability (CWE-295) affecting the Helpdesk software component. This flaw, published on 2025-03-07, carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact on confidentiality, integrity, and availability.

Remote attackers can exploit this vulnerability by tricking users into interacting with malicious content, requiring no privileges or authentication. Successful exploitation allows attackers to compromise the security of the affected system, potentially leading to unauthorized access, data manipulation, or disruption of services.

QNAP's security advisory (QSA-25-05) confirms the issue has been addressed in Helpdesk version 3.3.3 and later, recommending immediate updates to mitigate the risk.

EU & UK References

Vulnerability details

An improper certificate validation vulnerability has been reported to affect Helpdesk. If exploited, the vulnerability could allow remote attackers to compromise the security of the system. We have already fixed the vulnerability in the following version: Helpdesk 3.3.3 and later

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
Why these techniques?

Improper certificate validation (CWE-295) directly enables Adversary-in-the-Middle attacks by allowing interception of HTTPS connections using fake certificates. The requirement for user interaction with malicious content aligns with triggering vulnerable outbound connections in the Helpdesk component.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-30277Same product class: NAS / storage appliance
CVE-2025-30278Same product class: NAS / storage appliance
CVE-2024-10444Same product class: NAS / storage appliance
CVE-2025-66277Same product class: NAS / storage appliance
CVE-2025-44015Same product class: NAS / storage appliance
CVE-2025-59389Same product class: NAS / storage appliance
CVE-2025-9110Same product class: NAS / storage appliance
CVE-2024-48864Same product class: NAS / storage appliance
CVE-2025-30273Same product class: NAS / storage appliance
CVE-2024-56804Same product class: NAS / storage appliance

Affected Assets

qnap
helpdesk
3.3.1 — 3.3.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the improper certificate validation flaw by identifying, reporting, and applying the vendor-provided fix in Helpdesk 3.3.3 and later versions.

prevent

Ensures proper management, distribution, and validation of PKI certificates, directly addressing the improper certificate validation vulnerability (CWE-295).

prevent

Implements cryptographic protections including FIPS-validated modules and mechanisms that support secure certificate usage and validation during communications.

References