Security ID : QSA-24-53
Vulnerability in QuLog Center, Legacy QTS, and Legacy QuTS hero
Release date : March 8, 2025
CVE identifier : CVE-2024-53696
Affected products: QuLog Center 1.7.x, 1.8.x; QTS 4.5.x; QuTS hero h4.5.x
Severity
Low
Status
Resolved
Summary
A server-side request forgery (SSRF) vulnerability has been reported to affect QuLog Center and legacy versions of QTS and QuTS hero. If exploited, the vulnerability could allow remote attackers who have gained administrator access to read application data.
We have already fixed the vulnerability in the following versions:
| Affected Product | Fixed Version |
| QuLog Center 1.7.x | QuLog Center 1.7.0.829 (2024/10/01) and later |
| QuLog Center 1.8.x | QuLog Center 1.8.0.888 (2024/10/15) and later |
| QTS 4.5.x | QTS 4.5.4.2957 build 20241119 and later |
| QuTS hero h4.5.x | QuTS hero h4.5.4.2956 build 20241119 and later |
Recommendation
To fix the vulnerability, we recommend updating QuLog Center and your operating system to the latest version.
Updating QuLog Center
- Log in to QTS or QuTS hero as an administrator.
- Open App Center and then click
.
A search box appears. - Type "QuLog Center" and then press ENTER.
QuLog Center appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your QuLog Center is already up to date. - Click OK.
The application is updated.
Updating QTS or QuTS hero
- Log in to QTS or QuTS hero as an administrator.
- Go to Control Panel > System > Firmware Update.
- Under Live Update, click Check for Update.
The system downloads and installs the latest available update.
Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.
Attachment
Acknowledgements: Aymen BORGI and Ibrahim AYADHI from RandoriSec
Revision History:
V1.0 (March 8, 2025) - Published
