CVE-2024-50395
Published: 22 November 2024
Summary
CVE-2024-50395 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Qnap Media Streaming Add-On. Its CVSS base score is 6.9 (Medium).
Operationally, ranked in the top 7.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
An authorization bypass through user-controlled key vulnerability, tracked as CWE-639, affects the Media Streaming add-on for QNAP devices. The flaw permits an attacker to manipulate keys under their control to circumvent authorization checks, and it was assigned a CVSS 4.0 score of 6.9.
Local network attackers can exploit the issue without prior authentication or user interaction beyond the initial request, enabling them to elevate privileges on the affected system. Successful exploitation grants unauthorized access to resources that should be protected by the add-on's authorization logic.
QNAP's security advisory QSA-24-47 confirms the vulnerability is resolved in Media Streaming add-on version 500.1.1.6 released on 2024/08/02 and all subsequent builds; users are advised to update immediately. The associated EPSS score rose from lower values to a peak of 0.1544 on 2025-12-11 before receding, indicating increased exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-45076
Vulnerability details
An authorization bypass through user-controlled key vulnerability has been reported to affect Media Streaming add-on. If exploited, the vulnerability could allow local network attackers to gain privilege. We have already fixed the vulnerability in the following version: Media Streaming add-on…
more
500.1.1.6 ( 2024/08/02 ) and later
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.