CVE-2024-32764 – This vulnerability in myQNAPcloud Link allows a... (How to Fix)

Q: What is the severity of CVE-2024-32764?

CVE-2024-32764 has a CVSS score of 9.9 (CRITICAL). This vulnerability in myQNAPcloud Link allows attackers to access critical functions without authentication. It affects users running vulnerable versions of the software, potentially enabling unauthorized control over QNAP NAS devices via network access.

📋 TL;DR

This vulnerability in myQNAPcloud Link allows attackers to access critical functions without authentication. It affects users running vulnerable versions of the software, potentially enabling unauthorized control over QNAP NAS devices via network access.

💻 Affected Systems

Products:

myQNAPcloud Link

Versions: Versions before 2.4.51

Operating Systems: QTS, QuTS hero

Default Config Vulnerable: ⚠️ Yes

Notes: Affects QNAP NAS devices with myQNAPcloud Link enabled.

📦 What is this software?

Myqnapcloud Link by Qnap

View all CVEs affecting Myqnapcloud Link →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of QNAP NAS devices, allowing data theft, ransomware deployment, or device takeover.

🟠

Likely Case

Unauthorized access to NAS functions, data exfiltration, or lateral movement within the network.

🟢

If Mitigated

Limited impact if devices are isolated, but still potential for initial access.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Missing authentication suggests straightforward exploitation via network requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.4.51 and later

Vendor Advisory: https://www.qnap.com/en/security-advisory/qsa-24-09

Restart Required: Yes

Instructions:

1. Log into QNAP NAS admin interface. 2. Go to App Center. 3. Update myQNAPcloud Link to version 2.4.51 or later. 4. Restart the service or device.

🔧 Temporary Workarounds

Disable myQNAPcloud Link

all

Temporarily disable the vulnerable service until patching is possible.

Go to QNAP Control Panel > myQNAPcloud Link > Disable

Network isolation

linux

Restrict network access to QNAP devices using firewall rules.

iptables -A INPUT -p tcp --dport [myQNAPcloud port] -j DROP

🧯 If You Can't Patch

Isolate QNAP devices from internet and untrusted networks
Implement strict network segmentation and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check myQNAPcloud Link version in QNAP App Center or via SSH: cat /etc/config/qpkg.conf | grep myQNAPcloud

Check Version:

cat /etc/config/qpkg.conf | grep myQNAPcloud

Verify Fix Applied:

Confirm version is 2.4.51 or higher in App Center or via command line.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts in myQNAPcloud logs
Unexpected authentication bypass events

Network Indicators:

Unusual outbound connections from QNAP devices
Suspicious inbound traffic to myQNAPcloud ports

SIEM Query:

source="qnap_logs" AND (event="authentication_failure" OR event="unauthorized_access")

📊 Metadata

CVE ID: CVE-2024-32764

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L

CWE: CWE-306

Published: April 26, 2024

Last Updated: December 10, 2025

🔗 References

https://www.qnap.com/en/security-advisory/qsa-24-09 Vendor Advisory
https://www.qnap.com/en/security-advisory/qsa-24-09 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-32764, you might also want to check these: