ClickCease QNAP Patches: Medium Severity Flaws in OTS QuTS Fixed

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

QNAP Patches: Medium Severity Flaws in OTS QuTS Fixed

Wajahat Raja

June 4, 2024 - TuxCare expert team

In recent updates, QNAP, a prominent Taiwanese company specializing in network-attached storage (NAS) solutions, has diligently addressed several vulnerabilities within its QTS and QuTS hero operating systems. These QNAP patches are crucial for safeguarding NAS appliances against potential cybersecurity threats, reinforcing the company’s commitment to user safety and product integrity.


OTS QuTS Vulnerabilities

The vulnerabilities, affecting versions QTS 5.1.x and QuTS hero h5.1.x, encompass a range of medium-severity issues. These include:


  • CVE-2024-21902: Incorrect permission assignment vulnerability, potentially allowing unauthorized access to critical resources.
  • CVE-2024-27127: Double free vulnerability, opening avenues for executing arbitrary code.

Timely Fixes – QNAP Patches

Acknowledging the critical nature of these
exploitable flaws, QNAP swiftly rolled out QNAP patches with builds QTS and QuTS hero h5.1.7.2770. These firmware updates, released on May 20, 2024, effectively mitigate the identified vulnerabilities. The discovery and reporting of these flaws by Aliz Hammond of WatchTowr Labs underscore the collaborative efforts between security researchers and industry players to uphold system integrity.

QNAP Patches: Vulnerability Details

One noteworthy vulnerability, CVE-2024-27130, highlighted the unsafe use of the ‘strcpy’ function within the share.cgi script, potentially exploited through the ‘ssid’ parameter. While QNAP
network-attached storage security devices employ Address Space Layout Randomization (ASLR) in QTS 4.x and 5.x versions, mitigating exploitation risks, prompt installation of patches remains imperative.

Addressing Past Concerns

This proactive approach follows a prior disclosure by a cybersecurity firm, detailing 15 vulnerabilities, including authentication bypass and code execution risks. QNAP promptly resolved these issues on April 25, 2024, in response to community concerns.

Ongoing Improvements

Despite these efforts, challenges persist, as seen in the delayed resolution of CVE-2024-27131, identified as a UI specification issue within the QuLog Center. QNAP is actively working to address this in the forthcoming QTS 5.2.0 release, underscoring its commitment to comprehensive
firmware security enhancements.

Cyber Attack Prevention

The collaborative dynamics between QNAP and the cybersecurity community play a pivotal role in fortifying product security. WatchTowr Labs, in its commitment to transparency and accountability, publicly disclosed identified
system vulnerabilities after extended coordination periods, urging timely remediation.

Threat Mitigation

response to coordination challenges, QNAP expressed regret and outlined a revised time frame for vulnerability resolution. Moving forward, the company pledges to address high- or critical-severity vulnerabilities within 45 days, with medium-severity issues resolved within 90 days. This proactive stance reflects QNAP’s dedication to enhancing security best practices and fostering a safer digital ecosystem for users worldwide.

User Recommendations – Vulnerability Patching

Ensuring robust
data protection is paramount in today’s digital landscape. Given the potential ramifications of NAS vulnerabilities, users are strongly advised to update their systems promptly. By installing the latest QTS and QuTS hero versions, users can proactively mitigate data breach risks and ensure NAS device security.


In conclusion, QNAP’s swift response to identified vulnerabilities underscores its unwavering commitment to user security and product excellence. Through collaborative engagement with cybersecurity experts and timely patch releases, QNAP strives to uphold the highest standards of security in its NAS solutions, empowering users to navigate the digital landscape with confidence and peace of mind. Staying informed about
QNAP security updates as well as implementing robust cybersecurity measures is crucial for maintaining the integrity of your NAS system.

The sources for this piece include articles in The Hacker News and Decipher.

QNAP Patches: Medium Severity Flaws in OTS QuTS Fixed
Article Name
QNAP Patches: Medium Severity Flaws in OTS QuTS Fixed
Stay secure with the latest QNAP patches for multiple flaws in OTS QuTS. Expert insights from Tux Care ensure your NAS stays protected.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter