CVE-2024-21899
published 2024-03-08CVE-2024-21899: An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
24.37%
97.6th percentile
An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.3.2578 build 20231110 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.3.2578 build 20231110 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qnap | qts | < 4.5.4.2627 | 4.5.4.2627 |
| qnap | qts | — | — |
| qnap | qts | — | — |
| qnap | qts | >= 5.1.0 < 5.1.3.2578 | 5.1.3.2578 |
| qnap | quts_hero | < h4.5.4.2626 | h4.5.4.2626 |
| qnap | quts_hero | — | — |
| qnap | quts_hero | — | — |
| qnap | quts_hero | >= h5.1.0 < h5.1.3.2578 | h5.1.3.2578 |
| qnap | qutscloud | < c5.1.5.2651 | c5.1.5.2651 |
| qnap_systems_inc | qts | >= 4.5.x < 4.5.4.2627 build 20231225 | 4.5.4.2627 build 20231225 |
| qnap_systems_inc | qts | >= 5.1.x < 5.1.3.2578 build 20231110 | 5.1.3.2578 build 20231110 |
| qnap_systems_inc | quts_hero | >= h4.5.x < h4.5.4.2626 build 20231225 | h4.5.4.2626 build 20231225 |
| qnap_systems_inc | quts_hero | >= h5.1.x < h5.1.3.2578 build 20231110 | h5.1.3.2578 build 20231110 |
| qnap_systems_inc | qutscloud | >= c5.x.x < c5.1.5.2651 | c5.1.5.2651 |
Detection & IOCsextracted from sources · hover to see the quote
- →CVE-2024-21899 can be exploited remotely without authentication and is marked as low complexity, targeting QNAP NAS devices over the network — monitor for unauthenticated HTTP/HTTPS requests to QNAP management interfaces from external IPs ↗
- →Improper authentication vulnerability affects QTS 5.1.x, QTS 4.5.x, QuTS hero h5.1.x, QuTS hero h4.5.x, QuTScloud c5.x, and myQNAPcloud 1.0.x — identify and flag internet-exposed QNAP NAS devices running these versions ↗
- ·CVE-2024-21899 is an improper authentication flaw exploitable via network without credentials; the companion CVEs (CVE-2024-21900 command injection, CVE-2024-21901 SQL injection) require prior authentication — triage unauthenticated access attempts first as the initial vector ↗
- ·Fixed versions differ per product line — ensure version checks in detection logic account for all five affected product branches (QTS, QuTS hero, QuTScloud, myQNAPcloud) ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mfjq-7ffc-qgmv: An improper authentication vulnerability has been reported to affect several QNAP operating system versions
ghsa_unreviewed·2024-03-08
CVE-2024-21899 [CRITICAL] CWE-287 GHSA-mfjq-7ffc-qgmv: An improper authentication vulnerability has been reported to affect several QNAP operating system versions
An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.3.2578 build 20231110 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.3.2578 build 20231110 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
VulnCheck
QNAP QTS Improper Authentication
vulncheck·2024·CVSS 9.8
CVE-2024-21899 [CRITICAL] QNAP QTS Improper Authentication
QNAP QTS Improper Authentication
An improper authentication vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to compromise the security of the system via a network.
We have already fixed the vulnerability in the following versions:
QTS 5.1.3.2578 build 20231110 and later
QTS 4.5.4.2627 build 20231225 and later
QuTS hero h5.1.3.2578 build 20231110 and later
QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.1.5.2651 and later
Affected: QNAP QTS
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?
No detection rules found.
No public exploits indexed.
Checkpoint
11th March – Threat Intelligence Report
blogs_checkpoint·2024-03-11·CVSS 8.2
CVE-2023-46805 [HIGH] 11th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 11th March, please download our Threat_Intelligence Bulletin .
TOP ATTACKS AND BREACHES
Cybersecurity and Infrastructure Security Agency (CISA) has taken offline two systems following a breach that occurred as a result of the recent vulnerabilities exploitation in Ivanti products. The affected systems potentially include the Infrastructure Protection Gateway and the Chemical Security Assessment Tool, holding sen
Bleepingcomputer
QNAP warns of critical auth bypass flaw in its NAS devices
blogs_bleepingcomputer·2024-03-08·CVSS 9.8
[CRITICAL] QNAP warns of critical auth bypass flaw in its NAS devices
## QNAP warns of critical auth bypass flaw in its NAS devices
## Bill Toulas
QNAP warns of vulnerabilities in its NAS software products, including QTS, QuTS hero, QuTScloud, and myQNAPcloud, that could allow attackers to access devices.
The Taiwanese Network Attached Storage (NAS) device maker disclosed three vulnerabilities that can lead to an authentication bypass, command injection, and SQL injection.
While the last two require the attackers to be authenticated on the target system, which significantly lessens the risk, the first (CVE-2024-21899) can be executed remotely without authentication and is marked as "low complexity."
The three flaws fixed are the following:
CVE-2024-21899 : Improper authentication mechanisms allow unauthorized users to compromise the system's security t
2024-03-08
Published
Exploited in the wild