CVE-2024-21899

Name of the Vulnerable Software and Affected Versions QTS versions prior to 5.1.3.2578 build 20231110 QTS versions prior to 4.5.4.2627 build 20231225 QuTS hero versions prior to h5.1.3.2578 build 20231110 QuTS hero versions prior to h4.5.4.2626 build 20231225 QuTScloud versions prior to c5.1.5.2651

Description The issue is related to an improper authentication vulnerability that could allow unauthorized remote access to the NAS device. If exploited, the vulnerability could allow users to compromise the security of the system via a network. It is estimated that over 3 million devices may be affected. The vulnerability can be exploited by sending a POST request to the "https://192.168.0.10/cgi-bin/priv/privWizard.cgi" endpoint with specific parameters, such as wiz func=start 2sv, action=none, user=guest, and pwd=none. Vulnerable hosts will return system information, including version and patch number.

Recommendations For QTS versions prior to 5.1.3.2578 build 20231110, update to version 5.1.3.2578 build 20231110 or later. For QTS versions prior to 4.5.4.2627 build 20231225, update to version 4.5.4.2627 build 20231225 or later. For QuTS hero versions prior to h5.1.3.2578 build 20231110, update to version h5.1.3.2578 build 20231110 or later. For QuTS hero versions prior to h4.5.4.2626 build 20231225, update to version h4.5.4.2626 build 20231225 or later. For QuTScloud versions prior to c5.1.5.2651, update to version c5.1.5.2651 or later. As a temporary workaround, consider restricting access to the vulnerable API endpoint until a patch is available.