On March 8, 2024, QNAP published a security advisory detailing a critical vulnerability affecting multiple QNAP products, CVE-2024-21899 (CVSS: 9.8). CVE-2024-21899 allows an unauthenticated threat actor to remotely compromise the security of the system via the network due to improper authentication mechanisms in low complexity attacks. Furthermore, the advisory disclosed two other vulnerabilities, CVE-2024-21900 and CVE-2024-21901, which are command and SQL injection based. These vulnerabilities require threat actors to be authenticated on the target system, thus significantly reducing their risk.
Arctic Wolf has not observed any instances of these vulnerabilities being exploited in the wild, nor are we aware of any Proof of Concept (PoC) exploits being published at this time. In the past, several ransomware actors such as Qlocker have targeted QNAP products. Given the critical severity and low complexity of the authentication bypass vulnerability, CVE-2024-21899, it is highly likely that the threat actors will target this vulnerability in the near future.
Recommendation for CVE-2024-21899
Upgrade QNAP Products to their Fixed Versions
Arctic Wolf strongly recommends upgrading QNAP Products: QTS, QuTS hero, QuTScloud, and myQNAPcloud, to their latest fixed versions.
| Product | Affected Version | Fixed Version |
| QTS | QTS 5.1.x | QTS 5.1.3.2578 build 20231110 and later |
| QTS 4.5.x | QTS 4.5.4.2627 build 20231225 and later | |
| QuTS hero | QuTS hero h5.1.x | QuTS hero h5.1.3.2578 build 20231110 and later |
| QuTS hero h4.5.x | QuTS hero h4.5.4.2626 build 20231225 and later | |
| QuTScloud | QuTScloud c5.x | QuTScloud c5.1.5.2651 and later |
| myQNAPcloud | myQNAPcloud 1.0.x | myQNAPcloud 1.0.52 (2023/11/24) and later |
Please follow your organization’s patching and testing guidelines to avoid operational impact.
References
See other important security bulletins from Arctic Wolf.
