CVE-2024-53699

High

Published: 07 March 2025

Published

07 March 2025

Modified

23 September 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0038 59.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53699 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Qnap Quts Hero. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 40.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely identification, reporting, and patching of flaws like this out-of-bounds write vulnerability, aligning with QNAP's fixed releases.

SI-16 Memory Protection good match

prevent

Implements memory protection safeguards such as address space layout randomization and data execution prevention to block exploitation of out-of-bounds writes leading to corruption.

AC-6 Least Privilege partial match

prevent

Enforces least privilege to minimize the number of administrator accounts that could be used by attackers to remotely exploit the memory corruption vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.

Confidence: LOW · MITRE ATT&CK Enterprise v19.0

NVD Description

An out-of-bounds write vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to modify or corrupt memory. We have already fixed the vulnerability in the…

following versions: QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.2.3.3006 build 20250108 and later

Deeper analysisAI

CVE-2024-53699 is an out-of-bounds write vulnerability (CWE-787) affecting several versions of QNAP operating systems, including QTS and QuTS hero prior to their respective patched releases. The flaw enables memory corruption when exploited, as detailed in the CVE description published on 2025-03-07.

Remote attackers who have already gained administrator privileges (PR:H) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows high-impact modification or corruption of memory, resulting in confidentiality, integrity, and availability impacts scored at CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

QNAP's security advisory (QSA-24-54) confirms the issue has been addressed in QTS 5.2.3.3006 build 20250108 and later, as well as QuTS hero h5.2.3.3006 build 20250108 and later. Security practitioners should prioritize updating affected QNAP NAS devices to these versions for mitigation.

Details

CWE(s): CWE-787

Affected Products

qnap

qts

5.2.0.2737, 5.2.0.2744, 5.2.0.2782, 5.2.0.2802, 5.2.0.2823

qnap

quts hero

h5.2.0.2737, h5.2.0.2782, h5.2.0.2789, h5.2.0.2802, h5.2.0.2823

CVEs Like This One

CVE-2024-53697Same product: Qnap Qts

CVE-2025-30273Same product: Qnap Qts

CVE-2024-38638Same product: Qnap Qts

CVE-2025-66277Same product: Qnap Qts

CVE-2024-53693Same product: Qnap Qts

CVE-2024-14026Same product: Qnap Qts

CVE-2025-52864Same product: Qnap Qts

CVE-2025-30264Same product: Qnap Qts

CVE-2024-13086Same product: Qnap Qts

CVE-2025-59385Same product: Qnap Qts

References

https://www.qnap.com/en/security-advisory/qsa-24-54
Vendor Advisory · security@qnapsecurity.com.tw