QNAP Patches Critical Vulnerabilities Impacting NAS Devices (CVE-2024-21899, CVE-2024-21900, & CVE-2024-21901)

Multiple NAS devices, including QTS, QuTS hero, QuTScloud, and myQNAPcloud, are vulnerable to three critical severity flaws. Tracked as CVE-2024-21899, CVE-2024-21900, & CVE-2024-21901, the vulnerabilities could allow authenticated administrators to inject malicious code via a network that compromises the system’s security.

Network-attached storage (NAS) is a file-level storage server connected to a computer network. It allows multiple users to store and share files over a TCP/IP network. NAS systems are flexible and can scale out, meaning that users can add them to their storage as needed. NAS uses hard disk drives (HDDs) for storage capacity.


This improper authentication vulnerability may allow users to compromise the system’s security via a network.


This injection vulnerability could allow authenticated users to execute commands via a network.


The SQL injection vulnerability could allow authenticated administrators to inject malicious code via a network.

Affected and Patched Versions 

Affected Product Fixed Version
QTS 5.1.x QTS build 20231110 and later
QTS 4.5.x QTS build 20231225 and later
QuTS hero h5.1.x QuTS hero h5.1.3.2578 build 20231110 and later
QuTS hero h4.5.x QuTS hero h4.5.4.2626 build 20231225 and later
QuTScloud c5.x QuTScloud c5.1.5.2651 and later
myQNAPcloud 1.0.x myQNAPcloud 1.0.52 (2023/11/24) and later

Please refer to the QNAP Security Advisory (QSA-24-09) for more information. 

Qualys Detection

Qualys customers can scan their devices with QID 731239 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.


Leave a Reply

Your email address will not be published. Required fields are marked *