Cyber Posture

CVE-2024-53699

High

Published: 07 March 2025

Published
07 March 2025
Modified
23 September 2025
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0038 59.6th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

An out-of-bounds write vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to modify or corrupt memory. We have already fixed the vulnerability in the following versions: QTS 5.2.3.3006 build 20250108 and later QuTS hero h5.2.3.3006 build 20250108 and later

Security Summary

CVE-2024-53699 is an out-of-bounds write vulnerability (CWE-787) affecting several versions of QNAP operating systems, including QTS and QuTS hero prior to their respective patched releases. The flaw enables memory corruption when exploited, as detailed in the CVE description published on 2025-03-07.

Remote attackers who have already gained administrator privileges (PR:H) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows high-impact modification or corruption of memory, resulting in confidentiality, integrity, and availability impacts scored at CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).

QNAP's security advisory (QSA-24-54) confirms the issue has been addressed in QTS 5.2.3.3006 build 20250108 and later, as well as QuTS hero h5.2.3.3006 build 20250108 and later. Security practitioners should prioritize updating affected QNAP NAS devices to these versions for mitigation.

Details

CWE(s)
CWE-787

Affected Products

qnap
qts
5.2.0.2737, 5.2.0.2744, 5.2.0.2782, 5.2.0.2802, 5.2.0.2823
qnap
quts hero
h5.2.0.2737, h5.2.0.2782, h5.2.0.2789, h5.2.0.2802, h5.2.0.2823

MITRE ATT&CK Enterprise Techniques

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v19.0

References