CVE-2024-50396

HIGH

Qnap Qts - Format String Vulnerability

Title source: rule

Description

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.1.2930 build 20241025 and later QuTS hero h5.2.1.2929 build 20241025 and later

References (1)

[Vendor Advisory] https://www.qnap.com/en/security-advisory/qsa-24-43

Scores

CVSS v3 8.8

EPSS 0.0068

EPSS Percentile 71.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-134

Status published

Products (14)

qnap/qts 5.2.0.2737 build_20240417

qnap/qts 5.2.0.2744 build_20240424

qnap/qts 5.2.0.2782 build_20240601

qnap/qts 5.2.0.2802 build_20240620

qnap/qts 5.2.0.2823 build_20240711

qnap/qts 5.2.0.2851 build_20240808

qnap/qts 5.2.0.2860 build_20240817

qnap/quts_hero h5.2.0.2737 build_20240417

qnap/quts_hero h5.2.0.2782 build_20240601

qnap/quts_hero h5.2.0.2789 build_20240607

... and 4 more

Published Nov 22, 2024

Tracked Since Feb 18, 2026