QNAP Security Enhancement with Ten Security Advisories on Resolved Vulnerabilities

QNAP Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Use the following information and solutions to correct the security issues and vulnerabilities.

This advisory includes following:

Vulnerability in QVPN Device Client, Qsync Client, and Qfinder Pro for Mac
Security ID: QSA-24-51
Release date: March 8, 2025
CVE identifier: CVE-2024-53694
Severity: Moderate
Status: Resolved
Affected products: QVPN Device Client for Mac 2.2.x, Qsync Client for Mac 5.1.x, Qfinder Pro for Mac 7.11.x

Summary
A time-of-check time-of-use (TOCTOU) race condition vulnerability has been reported to affect several utility versions. If exploited, the vulnerability could allow local attackers who have gained user access to also gain access to otherwise unauthorized resources.

The company have already fixed the vulnerability in following versions:

Affected Product	Fixed Version
QVPN Device Client for Mac 2.2.x	QVPN Device Client for Mac 2.2.5 and later
Qsync Client for Mac 5.1.x	Qsync Client for Mac 5.1.3 and later
Qfinder Pro for Mac 7.11.x	Qfinder Pro for Mac 7.11.1 and later

Learn more

Vulnerability in QTS and QuTS hero
Security ID: QSA-24-52
Release date: March 8, 2025
CVE identifier: CVE-2024-38638
Severity: Moderate
Status: Resolved
Affected products: QTS 5.1.x, QuTS hero h5.1.x

Summary
An out-of-bounds write vulnerability has been reported to affect certain QNAP OS versions. If exploited, the vulnerability could allow remote attackers who have gained administrator access to modify or corrupt memory.

The company have already fixed the vulnerability in following versions:

Affected Product	Fixed Version
QTS 5.1.x	QTS 5.1.9.2954 build 20241120 and later
QuTS hero h5.1.x	QuTS hero h5.1.9.2954 build 20241120 and later

QTS 5.2.x and QuTS hero h5.2.x are not affected.

Learn more

Vulnerability in QuLog Center, Legacy QTS, and Legacy QuTS hero
Security ID: QSA-24-53
Release date: March 8, 2025
CVE identifier: CVE-2024-53696
Severity: Low
Status: Resolved
Affected products: QuLog Center 1.7.x, 1.8.x; QTS 4.5.x; QuTS hero h4.5.x

Summary
A server-side request forgery (SSRF) vulnerability has been reported to affect QuLog Center and legacy versions of QTS and QuTS hero. If exploited, the vulnerability could allow remote attackers who have gained administrator access to read application data.

The company have already fixed the vulnerability in following versions:

Affected Product	Fixed Version
QuLog Center 1.7.x	QuLog Center 1.7.0.829 (2024/10/01) and later
QuLog Center 1.8.x	QuLog Center 1.8.0.888 (2024/10/15) and later
QTS 4.5.x	QTS 4.5.4.2957 build 20241119 and later
QuTS hero h4.5.x	QuTS hero h4.5.4.2956 build 20241119 and later

Learn more

Multiple Vulnerabilities in QTS and QuTS hero
Security ID: QSA-24-54
Release date: March 8, 2025
CVE identifier: CVE-2024-50405 | CVE-2024-53692 | CVE-2024-53693 | CVE-2024-53697 | CVE-2024-53698 | CVE-2024-53699
Severity: Moderate
Status: Resolved
Affected products: QTS 5.2.x, QuTS hero h5.2.x

Summary
Multiple vulnerabilities have been reported to affect certain QNAP OS versions:

CVE-2024-50405: If exploited, the improper neutralization of CRLF sequences (‘CRLF Injection’) vulnerability could allow remote attackers who have gained administrator access to modify application data.
CVE-2024-53692: If exploited, the command injection vulnerability could allow remote attackers who have gained administrator access to execute arbitrary commands.
CVE-2024-53693: If exploited, the improper neutralization of CRLF sequences (‘CRLF Injection’) vulnerability could allow remote attackers who have gained user access to modify application data.
CVE-2024-53697, CVE-2024-53699: If exploited, the out-of-bounds write vulnerabilities could allow remote attackers who have gained administrator access to modify or corrupt memory.
CVE-2024-53698: If exploited, the double free vulnerability could allow remote attackers who have gained administrator access to modify memory.

The company have already fixed the vulnerabilities in following versions:

Affected Product	Fixed Version
QTS 5.2.x	QTS 5.2.3.3006 build 20250108 and later
QuTS hero h5.2.x	QuTS hero h5.2.3.3006 build 20250108 and later

Learn more

Vulnerability in File Station 5
Security ID: QSA-24-55
Release date: March 8, 2025
CVE identifier: CVE-2024-48864
Severity: Moderate
Status: Resolved
Affected products: File Station 5 version 5.5.x

Summary
A files or directories accessible to external parties vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers to read and write files or directories.

The company have already fixed the vulnerability in following versions:

Affected Product	Fixed Version
File Station 5 version 5.5.x	File Station 5 version 5.5.6.4741 and later

Learn more

Vulnerability in QuRouter
Security ID: QSA-25-01
Release date: March 8, 2025
CVE identifier: CVE-2024-50390
Severity: Moderate
Status: Resolved
Affected products: QuRouter 2.4.x

Summary
A command injection vulnerability has been reported to affect QuRouter. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands.

The company have already fixed the vulnerability in following version:

Affected Product	Fixed Version
QuRouter 2.4.x	QuRouter 2.4.5.032 and later

Learn more

Vulnerability in Legacy QTS and QuTS hero
Security ID: QSA-25-03
Release date: March 8, 2025
CVE identifier: CVE-2024-13086
Severity: Moderate
Status: Resolved
Affected products: QTS 5.1.x, 5.0.x; QuTS hero h5.1.x, h5.0.x

Summary
An exposure of sensitive information vulnerability has been reported to affect certain legacy versions of QTS and QuTS hero. If exploited, the vulnerability could allow remote attackers to compromise the security of the system.

The company have already fixed the vulnerability in following versions:

Affected Product	Fixed Version
QTS 5.x	QTS 5.2.0.2851 build 20240808 and later
QuTS hero h5.x	QuTS hero h5.2.0.2851 build 20240808 and later

Learn more

Vulnerability in Helpdesk
Security ID: QSA-25-05
Release date: March 8, 2025
CVE identifier: CVE-2024-50394
Severity: Important
Status: Resolved
Affected products: Helpdesk 3.3.x

Summary
An improper certificate validation vulnerability has been reported to affect Helpdesk. If exploited, the vulnerability could allow remote attackers to compromise the security of the system. This vulnerability does not affect systems where Helpdesk is disabled.

The company have already fixed the vulnerability in following version:

Affected Product	Fixed Version
Helpdesk 3.3.x	Helpdesk 3.3.3 and later

Learn more

Vulnerability in HBS 3 Hybrid Backup Sync
Security ID: QSA-25-06
Release date: March 8, 2025
CVE identifier: CVE-2024-53695
Severity: Moderate
Status: Resolved
Affected products: HBS 3 Hybrid Backup Sync 25.1.x

Summary
A buffer overflow vulnerability has been reported to affect HBS 3 Hybrid Backup Sync. If exploited, the vulnerability could allow remote attackers to modify memory or terminate processes.

The company have already fixed the vulnerability in following version:

Affected Product	Fixed Version
HBS 3 Hybrid Backup Sync 25.1.x	HBS 3 Hybrid Backup Sync 25.1.4.952 and later

Learn more

Vulnerability in QuRouter

Security ID: QSA-25-07
Release date: March 8, 2025
CVE identifier: CVE-2024-53700
Severity: Moderate
Status: Resolved
Affected products: QuRouter 2.4.x

Summary
A command injection vulnerability has been reported to affect QuRouter. If exploited, the vulnerability could allow remote attackers who have gained administrator access to execute arbitrary commands.

The company have already fixed the vulnerability in following version:

Affected Product	Fixed Version
QuRouter 2.4.x	QuRouter 2.4.6.028 and later

Learn more
Any questions regarding this issue, contact the company.