CVE-2024-13086
Published: 07 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-13086 is an exposure of sensitive information vulnerability (CWE-200) affecting QNAP's QTS and QuTS hero operating systems. The issue enables remote attackers to access sensitive data, potentially compromising system security. It impacts versions prior to the patched releases, with the vulnerability formally published on March 7, 2025, and assigned a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N).
Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows disclosure of limited sensitive information without impacting integrity or availability, thereby enabling partial compromise of the affected system's security posture.
QNAP has addressed the vulnerability through patches in QTS 5.2.0.2851 build 20240808 and later, as well as QuTS hero h5.2.0.2851 build 20240808 and later. Security practitioners should prioritize updating affected devices, with full details available in the vendor advisory at https://www.qnap.com/en/security-advisory/qsa-25-03.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability allows remote unauthenticated attackers to exploit a public-facing QNAP service for sensitive information disclosure, directly aligning with exploitation of public-facing applications.