CVE-2024-53693
Published: 07 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2024-53693 is an improper neutralization of CRLF sequences (CRLF Injection) vulnerability affecting several versions of QNAP operating systems, including QTS and QuTS hero. The issue stems from inadequate handling of CRLF sequences, as indicated by associated CWEs such as CWE-93, CWE-94, and CWE-400. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H), highlighting its potential for high availability impact with low complexity and privileges required.
Remote attackers who have already gained user-level access can exploit this vulnerability over the network without user interaction. Successful exploitation allows them to modify application data, potentially leading to disruptions aligned with the high availability impact in the CVSS score.
QNAP has addressed the vulnerability in updated versions: QTS 5.2.3.3006 build 20250108 and later, and QuTS hero h5.2.3.3006 build 20250108 and later. Additional details on mitigation and affected versions are available in the QNAP security advisory at https://www.qnap.com/en/security-advisory/qsa-24-54.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CRLF injection vuln with high availability impact (A:H) and ability to modify application data enables post-access exploitation for endpoint DoS via application/system exploitation.