CVE-2024-50404 – This CVE describes a link following vulnerabili... (How to Fix)

Q: What is the severity of CVE-2024-50404?

CVE-2024-50404 has a CVSS score of 8.8 (HIGH). This CVE describes a link following vulnerability in Qsync Central that allows remote attackers with user access to traverse the file system to unintended locations. This affects organizations using vulnerable versions of Qsync Central for file synchronization. Attackers could potentially access sensitive files outside their authorized directories.

📋 TL;DR

This CVE describes a link following vulnerability in Qsync Central that allows remote attackers with user access to traverse the file system to unintended locations. This affects organizations using vulnerable versions of Qsync Central for file synchronization. Attackers could potentially access sensitive files outside their authorized directories.

💻 Affected Systems

Products:

Qsync Central

Versions: All versions before 4.4.0.16_20240819

Operating Systems: QNAP QTS, QuTS hero

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have user-level access to the Qsync Central service.

📦 What is this software?

Qsync Central by Qnap

View all CVEs affecting Qsync Central →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attackers with compromised user credentials could access sensitive system files, configuration data, or other users' data, potentially leading to data theft, privilege escalation, or system compromise.

🟠

Likely Case

Attackers with legitimate user access could access files outside their intended directory scope, potentially exposing sensitive business data or configuration files.

🟢

If Mitigated

With proper access controls and network segmentation, impact would be limited to the compromised user's access level and isolated network segments.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires valid user credentials but the vulnerability itself is straightforward to exploit once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.0.16_20240819 and later

Vendor Advisory: https://www.qnap.com/en/security-advisory/qsa-24-48

Restart Required: Yes

Instructions:

1. Log into QNAP App Center. 2. Check for updates to Qsync Central. 3. Install version 4.4.0.16_20240819 or later. 4. Restart Qsync Central service.

🔧 Temporary Workarounds

Restrict User Access

all

Limit user accounts to only necessary personnel and implement strong authentication controls.

Network Segmentation

all

Isolate Qsync Central service from sensitive network segments and implement firewall rules.

🧯 If You Can't Patch

Implement strict access controls and monitor for unusual file access patterns
Consider disabling Qsync Central if not essential for business operations

🔍 How to Verify

Check if Vulnerable:

Check Qsync Central version in QNAP App Center or via SSH: cat /etc/config/uLinux.conf | grep qsync

Check Version:

cat /etc/config/uLinux.conf | grep 'qsync.*version'

Verify Fix Applied:

Verify version is 4.4.0.16_20240819 or later in App Center or via version check command

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in Qsync logs
Multiple failed authentication attempts followed by successful login

Network Indicators:

Unusual data transfers from Qsync service
Connection attempts from unexpected IP addresses

SIEM Query:

source="qsync*" AND (event="file_access" AND path="../" OR event="auth_failure")

📊 Metadata

CVE ID: CVE-2024-50404

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-59

Published: December 6, 2024

Last Updated: December 10, 2025

🔗 References

https://www.qnap.com/en/security-advisory/qsa-24-48 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-50404, you might also want to check these: