CVE-2024-38638

High

Published: 07 March 2025

Published

07 March 2025

Modified

23 September 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0038 59.6th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

An out-of-bounds write vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to modify or corrupt memory. QTS 5.2.x/QuTS hero h5.2.x are not affected. We have already fixed the vulnerability in the following versions: QTS 5.1.9.2954 build 20241120 and later QuTS hero h5.1.9.2954 build 20241120 and later

Security Summary

CVE-2024-38638 is an out-of-bounds write vulnerability (CWE-787) affecting several versions of QNAP's QTS and QuTS hero operating systems. The issue, published on 2025-03-07, carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H). QTS 5.2.x and QuTS hero h5.2.x versions are not affected.

The vulnerability can be exploited by remote attackers who have already obtained administrator privileges. Exploitation allows them to modify or corrupt memory, potentially leading to high-impact consequences on confidentiality, integrity, and availability.

QNAP has released fixes for the vulnerability in QTS 5.1.9.2954 build 20241120 and later, as well as QuTS hero h5.1.9.2954 build 20241120 and later. Additional details are available in the vendor's security advisory at https://www.qnap.com/en/security-advisory/qsa-24-52.

Details

CWE(s): CWE-787

Affected Products

qnap

qts

5.1.0.2348, 5.1.0.2399, 5.1.0.2418, 5.1.0.2444, 5.1.0.2466

qnap

quts hero

h5.1.0.2409, h5.1.0.2424, h5.1.0.2453, h5.1.0.2466, h5.1.1.2488

MITRE ATT&CK Enterprise Techniques

Insufficient information to map techniques.

Confidence: LOW · MITRE ATT&CK Enterprise v19.0

References

https://www.qnap.com/en/security-advisory/qsa-24-52
Vendor Advisory · security@qnapsecurity.com.tw