Critical vulnerability CVE-2024-21899 allows QNAP NAS access without authentication

Sicherheit (Pexels, allgemeine Nutzung)[German]Owners of QNAP NAS drives are at risk from the critical vulnerability CVE-2024-21899. This allows access to devices without requiring authentication via username and password. The manufacturer has released security updates to its vulnerable operating systems to close the vulnerability.


I came across a tweet with the content "CVE-2024-21899 (CVSS 9.8): Critical QNAP Flaw Opens Door to Hackers This bug means attackers can slither into your NAS without needing a username or password." brought the issue to my attention. According to the tweet, more than 3 million devices have been found that have the vulnerability and are accessible via the Internet. The colleagues from Bleeping Computer have published this article on the subject. QNAP has published the security advisory qsa-24-09: Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, and myQNAPcloud on March 9, 2024. In the products listed below:

QTS 5.1.x, 4.5.x; QuTS hero h5.1.x, h4.5.x; QuTScloud c5.x; myQNAPcloud 1.0.x

there are the critical vulnerabilities:

  • CVE-2024-21899: The vulnerability could allow users to compromise the security of the system over a network during authentication.
  • CVE-2024-21900: The injection vulnerability allows authenticated users to execute commands over a network.
  • CVE-2024-21901: The SQL injection vulnerability could allow authenticated administrators to inject malicious code over a network.

The vulnerabilities are fixed in the following software versions:

  • QTS 5.1.x: QTS build 20231110 and later
  • QTS 4.5.x: QTS build 20231225 and later
  • QuTS hero h5.1.x: QuTS hero h5.1.3.2578 build 20231110 and later
  • QuTS hero h4.5.x: QuTS hero h4.5.4.2626 build 20231225 and later
  • QuTScloud c5.x: QuTScloud c5.1.5.2651 and later
  • myQNAPcloud 1.0.x: myQNAPcloud 1.0.52 (2023/11/24) and later

Owners of of these QNAP products should install the software versions mentioned immediately in order to eliminate the critical vulnerabilities.

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security, Software, Update and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *