skip navigation
skip mega-menu

CVE-2024-21899: Critical Authentication Bypass Vulnerability in QNAP Products

CVE-2024-21899 (CVSS: 9.8). CVE-2024-21899 allows an unauthenticated threat actor to remotely compromise the security of the system via the network due to improper authentication mechanisms in low complexity attacks. Furthermore, the advisory disclosed two other vulnerabilities, CVE-2024-21900 and CVE-2024-21901, which are command and SQL injection based. These vulnerabilities require threat actors to be authenticated on the target system, thus significantly reducing their risk. 

Arctic Wolf has not observed any instances of these vulnerabilities being exploited in the wild, nor are we aware of any Proof of Concept (PoC) exploits being published at this time. In the past, several ransomware actors such as Qlocker have targeted QNAP products. Given the critical severity and low complexity of the authentication bypass vulnerability, CVE-2024-21899, it is highly likely that the threat actors will target this vulnerability in the near future. 

Recommendation for CVE-2024-21899

Upgrade QNAP Products to their Fixed Versions 

Arctic Wolf strongly recommends upgrading QNAP Products: QTS, QuTS hero, QuTScloud, and myQNAPcloud, to their latest fixed versions. 

Product Affected Version Fixed Version 
QTS QTS 5.1.x QTS 5.1.3.2578 build 20231110 and later 
QTS 4.5.x QTS 4.5.4.2627 build 20231225 and later 
QuTS hero QuTS hero h5.1.x QuTS hero h5.1.3.2578 build 20231110 and later 
QuTS hero h4.5.x QuTS hero h4.5.4.2626 build 20231225 and later 
QuTScloud QuTScloud c5.x QuTScloud c5.1.5.2651 and later 
myQNAPcloud myQNAPcloud 1.0.x myQNAPcloud 1.0.52 (2023/11/24) and later 

 

Please follow your organisation’s patching and testing guidelines to avoid operational impact. 

References 

  1. QNAP Security Advisory 
  2. QNAP Statement About Qlocker Ransomware 

Subscribe to our newsletter

Sign up here