Cyber Posture

CVE-2024-48864

Critical

Published: 07 March 2025

Published
07 March 2025
Modified
19 September 2025
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0017 38.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may transfer tools or other files from an external system into a compromised environment.

Security Summary

CVE-2024-48864 is a files or directories accessible to external parties vulnerability (CWE-552) affecting QNAP's File Station 5. Published on 2025-03-07, it carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to its potential for high confidentiality and integrity impacts without availability disruption.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables them to read and write arbitrary files or directories accessible through File Station 5, potentially leading to unauthorized data access, modification, or persistence on the targeted system.

QNAP has mitigated the issue in File Station 5 version 5.5.6.4741 and later releases. Administrators should update to these patched versions promptly. Additional details are available in the vendor's security advisory at https://www.qnap.com/en/security-advisory/qsa-24-55.

Details

CWE(s)
CWE-552

Affected Products

qnap
file station
5.5.6.4691 — 5.5.6.4741

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
attack.mitre.org →
Why these techniques?

The vulnerability in the public-facing File Station application enables remote unauthenticated exploitation (T1190). It directly permits reading arbitrary files (T1005: Data from Local System) and writing files (T1105: Ingress Tool Transfer).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References