CVE-2024-21899: Critical Authentication Bypass Vulnerability in QNAP Products

Share :

On 8 March 2024, QNAP published a security advisory detailing a critical vulnerability affecting multiple QNAP products, CVE-2024-21899 (CVSS: 9.8). CVE-2024-21899 allows an unauthenticated threat actor to remotely compromise the security of the system via the network due to improper authentication mechanisms in low complexity attacks. Furthermore, the advisory disclosed two other vulnerabilities, CVE-2024-21900 and CVE-2024-21901, which are command and SQL injection based. These vulnerabilities require threat actors to be authenticated on the target system, thus significantly reducing their risk. 

Arctic Wolf has not observed any instances of these vulnerabilities being exploited in the wild, nor are we aware of any Proof of Concept (PoC) exploits being published at this time. In the past, several ransomware actors such as Qlocker have targeted QNAP products. Given the critical severity and low complexity of the authentication bypass vulnerability, CVE-2024-21899, it is highly likely that the threat actors will target this vulnerability in the near future. 

Recommendation for CVE-2024-21899

Upgrade QNAP Products to their Fixed Versions 

Arctic Wolf strongly recommends upgrading QNAP Products: QTS, QuTS hero, QuTScloud, and myQNAPcloud, to their latest fixed versions. 

Product  Affected Version  Fixed Version 
QTS  QTS 5.1.x  QTS build 20231110 and later 
QTS 4.5.x  QTS build 20231225 and later 
QuTS hero  QuTS hero h5.1.x  QuTS hero h5.1.3.2578 build 20231110 and later 
QuTS hero h4.5.x  QuTS hero h4.5.4.2626 build 20231225 and later 
QuTScloud  QuTScloud c5.x  QuTScloud c5.1.5.2651 and later 
myQNAPcloud  myQNAPcloud 1.0.x  myQNAPcloud 1.0.52 (2023/11/24) and later 


Please follow your organisation’s patching and testing guidelines to avoid operational impact. 


  1. QNAP Security Advisory 
  2. QNAP Statement About Qlocker Ransomware 
Picture of Andres Ramos

Andres Ramos

Andres Ramos is a Threat Intelligence Researcher at Arctic Wolf with a strong background in tracking emerging threats and producing actionable intelligence for both technical and non-technical stakeholders. He has a diverse background encompassing various domains of cyber security, holds a degree in Cybersecurity Engineering, and is a CISSP.
Share :
Table of Contents