QNAP OS Command Injection Vulnerability
CVE-2024-38641

7.8HIGH

Key Information:

Vendor: QNAP
Status: Qts; Quts Hero
Vendor: CVE Published:; 6 September 2024

What is CVE-2024-38641?

An OS command injection vulnerability has been identified in several versions of QNAP's operating systems. This vulnerability may allow local network users to execute arbitrary commands through unspecified paths. Users are advised to upgrade to the fixed versions, QTS 5.1.8.2823 build 20240712 and later, or QuTS hero h5.1.8.2823 build 20240712 and later, to mitigate potential exploits and enhance overall security.

Affected Version(s)

QTS 5.1.x < 5.1.8.2823 build 20240712

QuTS hero h5.1.x

References

https://www.qnap.com/en/security-advisory/qsa-24-33

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 6, 2024
Vulnerability Reserved
Jun 19, 2024

Credit

Team Viettel in Matrix Cup 2024