CVE-2024-38647 – This CVE describes an information exposure vuln... (How to Fix)

Q: What is the severity of CVE-2024-38647?

CVE-2024-38647 has a CVSS score of 7.5 (HIGH). This CVE describes an information exposure vulnerability in QNAP AI Core that could allow remote attackers to access sensitive system information. The vulnerability affects QNAP AI Core versions before 3.4.1. Successful exploitation could compromise system security by exposing confidential data.

📋 TL;DR

This CVE describes an information exposure vulnerability in QNAP AI Core that could allow remote attackers to access sensitive system information. The vulnerability affects QNAP AI Core versions before 3.4.1. Successful exploitation could compromise system security by exposing confidential data.

💻 Affected Systems

Products:

QNAP AI Core

Versions: All versions before 3.4.1

Operating Systems: QTS, QuTS hero

Default Config Vulnerable: ⚠️ Yes

Notes: Affects QNAP NAS devices running AI Core software. The vulnerability is present in default configurations.

📦 What is this software?

Ai Core by Qnap

View all CVEs affecting Ai Core →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attackers gain access to sensitive system information, credentials, or configuration data leading to full system compromise or lateral movement within the network.

🟠

Likely Case

Attackers extract sensitive information about the AI Core system, potentially including configuration details, API keys, or system metadata that could facilitate further attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to information disclosure without enabling further system compromise.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability allows remote exploitation without authentication, making it relatively easy to exploit if accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.1 and later

Vendor Advisory: https://www.qnap.com/en/security-advisory/qsa-24-40

Restart Required: Yes

Instructions:

1. Log into QNAP NAS web interface. 2. Go to App Center. 3. Check for updates for QNAP AI Core. 4. Update to version 3.4.1 or later. 5. Restart the AI Core service or the NAS if required.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to QNAP AI Core service to trusted IPs only

Use QNAP firewall rules to restrict access to AI Core port(s)

Service Disablement

all

Temporarily disable QNAP AI Core if not in use

In QNAP App Center, stop the AI Core service

🧯 If You Can't Patch

Implement strict network segmentation to isolate the vulnerable system
Monitor network traffic to/from the AI Core service for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check QNAP AI Core version in App Center. If version is below 3.4.1, the system is vulnerable.

Check Version:

Check via QNAP web interface: App Center > Installed Apps > QNAP AI Core

Verify Fix Applied:

Confirm AI Core version is 3.4.1 or higher in App Center after update.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to AI Core endpoints
Failed authentication attempts followed by information requests

Network Indicators:

Unusual outbound connections from AI Core service
External IPs accessing AI Core API endpoints

SIEM Query:

source="qnap_nas" AND (app="ai_core" AND (event="access" OR event="api_call")) AND src_ip NOT IN [trusted_ips]

📊 Metadata

CVE ID: CVE-2024-38647

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-200

Published: November 22, 2024

Last Updated: December 8, 2025

🔗 References

https://www.qnap.com/en/security-advisory/qsa-24-40 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-38647, you might also want to check these: