cbcvebase.
CVE-2024-53691
published 2024-12-06

CVE-2024-53691: A link following vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers…

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
20.11%
97.1th percentile
A link following vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to traverse the file system to unintended locations. We have already fixed the vulnerability in the following versions: QTS 5.1.8.2823 build 20240712 and later QTS 5.2.0.2802 build 20240620 and later QuTS hero h5.1.8.2823 build 20240712 and later QuTS hero h5.2.0.2802 build 20240620 and later

Affected

37 ranges· showing 25
VendorProductVersion rangeFixed in
qnapqts
qnapqts
qnapqts
qnapqts
qnapqts
qnapqts
qnapqts
qnapqts
qnapqts
qnapqts
qnapqts
qnapqts
qnapqts
qnapqts
qnapqts
qnapqts
qnapquts_hero
qnapquts_hero
qnapquts_hero
qnapquts_hero
qnapquts_hero
qnapquts_hero
qnapquts_hero
qnapquts_hero
qnapquts_hero

Detection & IOCsextracted from sources · hover to see the quote

url/cgi-bin/filemanager/utilRequest.cgi?
commandfunc=chunked_upload
commandfunc=extract
commandfunc=cipher&subfunc=decrypt
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS QNAP QTS/QuTS File Upload (CVE-2024-53691)"; flow:established,to_server; flowbits:isset,ET.ZIP.Symlink.Inbound; flowbits:set,ET.QNAP.CVE-2024-53691.Upload; http.method; content:"POST"; http.uri; content:"/cgi-bin/filemanager/utilRequest.cgi?"; fast_pattern; content:"func|3d|chunked_upload"; reference:url,github.com/C411e/CVE-2024-53691; reference:cve,2024-53691; classtype:web-application-attack; sid:2059742; rev:1; metadata:affected_product QNAP, attack_target Server, tls_state TLSDecrypt, created_at 2025_01_29, cve CVE_2024_53691, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS QNAP QTS/QuTS Unpack File (CVE-2024-53691)"; flow:established,to_server; flowbits:isset,ET.QNAP.CVE-2024-53691.Upload; flowbits:set,ET.QNAP.CVE-2024-53691.Overwrite; http.method; content:"GET"; http.uri; content:"/cgi-bin/filemanager/utilRequest.cgi?"; fast_pattern; content:"func|3d|extract"; reference:url,github.com/C411e/CVE-2024-53691; reference:cve,2024-53691; classtype:web-application-attack; sid:2059743; rev:1; metadata:affected_product QNAP, attack_target Server, tls_state TLSDecrypt, created_at 2025_01_29, cve CVE_2024_53691, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS QNAP QTS/QuTS Decrypt File (CVE-2024-53691)"; flow:established,to_server; flowbits:isset,ET.QNAP.CVE-2024-53691.Overwrite; http.method; content:"GET"; http.uri; content:"/cgi-bin/filemanager/utilRequest.cgi?"; fast_pattern; content:"func|3d|cipher"; content:"subfunc|3d|decrypt"; http.request_body; content:"mode|3d|0"; content:"keep|3d|1"; reference:url,github.com/C411e/CVE-2024-53691; reference:cve,2024-53691; classtype:web-application-attack; sid:2059747; rev:1; metadata:affected_product QNAP, attack_target Server, tls_state TLSDecrypt, created_at 2025_01_29, cve CVE_2024_53691, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, updated_at 2025_01_29, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • The exploit chain is three-stage: (1) POST a ZIP containing a symlink to /cgi-bin/filemanager/utilRequest.cgi?func=chunked_upload, (2) GET the same endpoint with func=extract to unpack and follow the symlink, (3) GET with func=cipher&subfunc=decrypt plus body params mode=0&keep=1 to decrypt/overwrite the target file. Snort flowbits chain ET.ZIP.Symlink.Inbound → ET.QNAP.CVE-2024-53691.Upload → ET.QNAP.CVE-2024-53691.Overwrite tracks this progression.
  • Stage 1 trigger: inbound ZIP archive containing a symlink (flowbit ET.ZIP.Symlink.Inbound must already be set) followed by a POST to the chunked_upload function. Correlate ZIP symlink detection with this POST to confirm exploitation attempt.
  • Stage 2 trigger: GET request to func=extract after a successful upload (flowbit ET.QNAP.CVE-2024-53691.Upload set). This step causes the symlink to be followed, enabling path traversal.
  • Stage 3 trigger: GET request to func=cipher with subfunc=decrypt and body containing mode=0&keep=1, only after the overwrite flowbit is set. This finalises file manipulation at the traversed path.
  • Public PoC code is available at github.com/C411e/CVE-2024-53691, referenced by all three Snort rules. Threat actors may use or adapt this PoC directly.
  • ·All three Snort rules carry tls_state TLSDecrypt and deployment SSLDecrypt metadata, meaning they will only fire on TLS-decrypted traffic. Environments without SSL/TLS inspection will not trigger these signatures.
  • ·The upload and decrypt rules depend on upstream flowbits (ET.ZIP.Symlink.Inbound and ET.QNAP.CVE-2024-53691.Upload/Overwrite respectively). If the prerequisite rule does not fire (e.g., due to rule set gaps or traffic ordering), the dependent rules will silently miss the attack.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.