CVE-2024-56804
Published: 03 October 2025
Summary
CVE-2024-56804 is a high-severity SQL Injection (CWE-89) vulnerability in Qnap Video Station. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validating information inputs for consistency with expected content and format, directly and comprehensively preventing SQL injection exploits like CVE-2024-56804.
SI-2 mandates timely identification, reporting, and remediation of system flaws, directly addressing the SQL injection vulnerability fixed in Video Station 5.8.4.
SI-9 restricts information inputs to only allowed types and formats using techniques like allowlisting, providing additional mitigation against SQL injection payloads in CVE-2024-56804.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in network-accessible web app (Video Station) directly enables remote code/command execution by authenticated users, mapping to public-facing app exploitation and command interpreters.
NVD Description
An SQL injection vulnerability has been reported to affect Video Station. If a remote attacker gains a user account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following…
more
version: Video Station 5.8.4 and later
Deeper analysisAI
CVE-2024-56804 is an SQL injection vulnerability (CWE-89) affecting QNAP's Video Station application. The flaw allows unauthorized code or command execution and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
A remote attacker who has obtained a valid user account on the affected Video Station instance can exploit this vulnerability to execute arbitrary code or commands, potentially leading to full system compromise.
QNAP's security advisory (QSA-25-32) confirms the issue has been addressed in Video Station version 5.8.4 and later, recommending users upgrade to a patched version for mitigation.
Details
- CWE(s)