Cyber Resilience

CVE-2024-53699

Low

Published: 07 March 2025

Published
07 March 2025
Modified
23 September 2025
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 60.0th percentile
Risk Priority 4 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53699 is a low-severity Out-of-bounds Write (CWE-787) vulnerability in Qnap Quts Hero. Its CVSS base score is 2.1 (Low).

Operationally, ranked in the top 40.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-53699 is an out-of-bounds write vulnerability (CWE-787) affecting several versions of QNAP operating systems, including QTS and QuTS hero prior to their respective patched releases. The flaw enables memory corruption when exploited, as detailed in the CVE description published on 2025-03-07.

Remote attackers who have already gained administrator privileges (PR:H) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows high-impact modification or corruption of memory, resulting in confidentiality, integrity, and availability impacts scored at CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

QNAP's security advisory (QSA-24-54) confirms the issue has been addressed in QTS 5.2.3.3006 build 20250108 and later, as well as QuTS hero h5.2.3.3006 build 20250108 and later. Security practitioners should prioritize updating affected QNAP NAS devices to these versions for mitigation.

EU & UK References

Vulnerability details

An out-of-bounds write vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to modify or corrupt memory. We have already fixed the vulnerability in the…

more

following versions: QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.2.3.3006 build 20250108 and later

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-30273Same product: Qnap Qts
CVE-2024-38638Same product: Qnap Qts
CVE-2024-53697Same product: Qnap Qts
CVE-2025-66277Same product: Qnap Qts
CVE-2025-52863Same product: Qnap Qts
CVE-2025-30264Same product: Qnap Qts
CVE-2025-59385Same product: Qnap Qts
CVE-2024-53693Same product: Qnap Qts
CVE-2025-9110Same product: Qnap Qts
CVE-2025-52864Same product: Qnap Qts

Affected Assets

qnap
qts
5.2.0.2737, 5.2.0.2744, 5.2.0.2782, 5.2.0.2802, 5.2.0.2823
qnap
quts hero
h5.2.0.2737, h5.2.0.2782, h5.2.0.2789, h5.2.0.2802, h5.2.0.2823

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mandates timely identification, reporting, and patching of flaws like this out-of-bounds write vulnerability, aligning with QNAP's fixed releases.

prevent

Implements memory protection safeguards such as address space layout randomization and data execution prevention to block exploitation of out-of-bounds writes leading to corruption.

prevent

Enforces least privilege to minimize the number of administrator accounts that could be used by attackers to remotely exploit the memory corruption vulnerability.

References