CVE-2024-53691
Published: 06 December 2024
Summary
CVE-2024-53691 is a high-severity Link Following (CWE-59) vulnerability in Qnap Quts Hero. Its CVSS base score is 8.7 (High).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
A link following vulnerability, tracked as CVE-2024-53691 and assigned CWE-59, affects multiple versions of QNAP's QTS and QuTS hero operating systems. The flaw permits unauthorized traversal of the file system to unintended locations when triggered by an attacker.
Remote attackers who have already obtained user-level access can exploit the issue to reach restricted paths on the affected device, potentially exposing or manipulating sensitive files. The vulnerability carries a CVSS 4.0 score of 8.7, reflecting high impact on confidentiality, integrity, and availability with network access and low attack complexity.
QNAP's security advisory QSA-24-28 states that the issue has been resolved in QTS 5.1.8.2823 build 20240712 and later, QTS 5.2.0.2802 build 20240620 and later, QuTS hero h5.1.8.2823 build 20240712 and later, and QuTS hero h5.2.0.2802 build 20240620 and later; administrators should apply these updates to eliminate the exposure.
The associated EPSS score currently stands at 0.4805 with a recorded peak of 0.4953, indicating moderate and relatively stable exploitation probability since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-52034
Vulnerability details
A link following vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations. We have already fixed the…
more
vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QTS 5.2.0.2802 build 20240620 and later QuTS hero h5.1.8.2823 build 20240712 and later QuTS hero h5.2.0.2802 build 20240620 and later
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.