CVE-2024-27130

QTS, QuTS hero

CVSS 7.2 HIGHEPSS 38.1%CWE-120 CWE-121

In short

A buffer overflow vulnerability in QNAP QTS and QuTS hero operating systems allows attackers to execute arbitrary code over the network by sending specially crafted data that exceeds expected buffer limits.

Technical detail

CWE-120/121 buffer copy vulnerability in QNAP QTS and QuTS hero enables remote code execution when the system fails to validate input size before copying to a fixed-size buffer. Exploitation requires network access and no authentication; successful exploitation grants arbitrary code execution with system privileges.

Summary generated and translated by AI from the official description.

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute code via a network. We have already fixed the vulnerability in the following version: QTS 5.1.7.2770 build 20240520 and later QuTS hero h5.1.7.2770 build 20240520 and later

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

Affected products

QNAP Systems Inc. · QTS QNAP Systems Inc. · QuTS hero

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.qnap.com/en/security-advisory/qsa-24-23