VYPR
← All advisories
Unrated severityNVD Advisory· Published Mar 8, 2024· Updated Dec 16, 2025

QTS, QuTS hero, QuTScloud

CVE-2024-21900

Description

An injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated users to execute commands via a network.

We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTScloud c5.1.5.2651 and later

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An injection vulnerability in QNAP QTS, QuTS hero, and QuTScloud allows authenticated users to execute arbitrary commands via network.

Vulnerability

An injection vulnerability exists in multiple QNAP operating system versions, including QTS 5.x and 4.5.x, QuTS hero h5.x and h4.5.x, and QuTScloud c5.x [1]. The flaw allows authenticated users to inject and execute arbitrary commands through network requests. Affected versions are those prior to QTS 5.1.3.2578 build 20231110, QTS 4.5.4.2627 build 20231225, QuTS hero h5.1.3.2578 build 20231110, and QuTScloud c5.1.5.2651 [1].

Exploitation

An attacker must first obtain valid user credentials for the QNAP device. With authenticated access, the attacker can send specially crafted network requests to a vulnerable component, triggering command injection. No additional privileges or user interaction beyond authentication are required [1].

Impact

Successful exploitation allows the attacker to execute arbitrary commands with the privileges of the affected service, potentially leading to full system compromise, data exfiltration, or further lateral movement within the network [1].

Mitigation

QNAP has released fixed versions: QTS 5.1.3.2578 build 20231110 and later, QTS 4.5.4.2627 build 20231225 and later, QuTS hero h5.1.3.2578 build 20231110 and later, and QuTScloud c5.1.5.2651 and later [1]. Users should upgrade to these versions immediately. No workarounds have been provided, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. Multiple Vulnerabilities in QTS, QuTS hero, QuTScloud, myQNAPcloud, and myQNAPcloud Link (PWN2OWN 2023) - Security Advisory

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • Qnap/Qtsllm-fuzzy
    Range: <5.1.3.2578 build 20231110
  • Qnap/QuTS herollm-fuzzy
    Range: <h5.1.3.2578 build 20231110
  • Qnap/QuTScloudllm-fuzzy
    Range: <c5.1.5.2651
  • QNAP Systems Inc./QTSv5
    Range: 5.1.x
  • QNAP Systems Inc./QuTScloudv5
    Range: c5.x.x
  • QNAP Systems Inc./QuTS herov5
    Range: h5.1.x

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.