CVE-2024-32766

Description

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later

CVSS v3.1 Score

10.0

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Weakness Type (CWE)

CWE-77 CWE-77

CWE-78 OS Command Injection

Affected Products

Vendor	Product	Versions
qnap	qts	< 4.5.4.2627
qnap	qts	5.0.0 — 5.1.3.2578
qnap	qts	All
qnap	qts	All
qnap	quts_hero	h4.5.0 — h4.5.4.2626
qnap	quts_hero	h5.0.0 — h5.1.3.2578
qnap	quts_hero	All
qnap	quts_hero	All
qnap	qutscloud	c5.0.0.1919 — c5.1.5.2651

References

Advisories & Patches

https://www.qnap.com/en/security-advisory/qsa-24-09 https://www.qnap.com/en/security-advisory/qsa-24-09

Frequently Asked Questions

What is CVE-2024-32766? +

An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow users to execute commands via a network. We have already fixed the vulnerability in the following versions: QTS 5.1.3.2578 build 20231110 and later QTS 4.5.4.2627 build 20231225 and later QuTS hero h5.1.3.2578 build 20231110 and later QuTS hero h4.5.4.2626 build 20231225 and later QuTScloud c5.1.5.2651 and later It has a CVSS v3.1 base score of 10.0 (CRITICAL).

How severe is CVE-2024-32766? +

CVE-2024-32766 has a CVSS v3.1 score of 10.0 out of 10, rated CRITICAL. This is a critical vulnerability that should be patched immediately.

What products are affected by CVE-2024-32766? +

CVE-2024-32766 affects products from qnap, specifically: qts, quts_hero, qutscloud. Check the affected products table above for specific version ranges.

How do I check if I'm vulnerable to CVE-2024-32766? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-42258

Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Prior to versions 0.4.24, 0.5.14, and 0.6.4, symbol arguments …

CVE-2026-42453

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. Prior to version 2.1.0, the …

CVE-2023-5878

Honeywell OneWireless Wireless Device Manager (WDM) for the following versions R310.x, R320.x, R321.x, R322.1, R322.2, R323.x, R330.1 contains a command …

CVE-2025-46735

Terraform WinDNS Provider allows users to manage their Windows DNS server resources through Terraform. A security issue has been found …

CVE-2025-4009

The Evertz SDVN 3080ipx-10G is a High Bandwidth Ethernet Switching Fabric for Video Application. This device exposes a web management …

CVE-2024-4999

A vulnerability in the web-based management interface of multiple Ligowave devices could allow an authenticated remote attacker to execute arbitrary …