Cyber Resilience

CVE-2024-50395

Medium

Published: 22 November 2024

Published
22 November 2024
Modified
08 December 2025
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0847 92.5th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-50395 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Qnap Media Streaming Add-On. Its CVSS base score is 6.9 (Medium).

Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

An authorization bypass through user-controlled key vulnerability, tracked as CWE-639, affects the Media Streaming add-on for QNAP devices. The flaw permits an attacker to manipulate keys under their control to circumvent authorization checks, and it was assigned a CVSS 4.0 score of 6.9.

Local network attackers can exploit the issue without prior authentication or user interaction beyond the initial request, enabling them to elevate privileges on the affected system. Successful exploitation grants unauthorized access to resources that should be protected by the add-on's authorization logic.

QNAP's security advisory QSA-24-47 confirms the vulnerability is resolved in Media Streaming add-on version 500.1.1.6 released on 2024/08/02 and all subsequent builds; users are advised to update immediately. The associated EPSS score rose from lower values to a peak of 0.1544 on 2025-12-11 before receding, indicating increased exploitation interest after public disclosure.

EU & UK References

Vulnerability details

An authorization bypass through user-controlled key vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow local network attackers to gain privilege. We have already fixed the vulnerability in the following version: Media Streaming add-on…

more

500.1.1.6 ( 2024/08/02 ) and later

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qnap
media streaming add-on
500.1.1.0 — 500.1.1.6

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-639

Per-request decision making makes it harder to bypass authorization using user-controlled keys without proper validation in the decision process.

addresses: CWE-639

Consistent enforcement of approved authorizations makes bypassing via user-controlled keys ineffective.

References