Login Sign Up

CVE-2024-51774

8.1 HIGH

📋 TL;DR

qBittorrent versions before 5.0.1 fail to properly validate HTTPS certificates, allowing connections to proceed even when certificate validation errors occur. This vulnerability enables man-in-the-middle attacks where attackers can intercept and potentially modify traffic between qBittorrent and remote servers. All users running vulnerable versions are affected.

💻 Affected Systems

Products:
  • qBittorrent
Versions: All versions before 5.0.1
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all installations using default settings. The vulnerability is present in the HTTPS handling code.

📦 What is this software?

Qbittorrent by Qbittorrent

View all CVEs affecting Qbittorrent →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could perform man-in-the-middle attacks to intercept sensitive data, inject malicious content into downloads, or redirect users to malicious servers, potentially leading to remote code execution if combined with other vulnerabilities.

🟠

Likely Case

Attackers on the same network could intercept and manipulate qBittorrent traffic, potentially injecting malicious torrents or tracker responses that could compromise the system.

🟢

If Mitigated

With proper network segmentation and monitoring, the impact is limited to potential data interception within the compromised network segment.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to intercept traffic. No public proof-of-concept has been released, but the vulnerability is straightforward to exploit for attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.1

Vendor Advisory: https://www.qbittorrent.org/news

Restart Required: Yes

Instructions:

1. Download qBittorrent 5.0.1 or later from the official website. 2. Close qBittorrent completely. 3. Install the new version. 4. Restart qBittorrent.

🔧 Temporary Workarounds

Disable HTTPS connections

all

Configure qBittorrent to use only HTTP connections where possible

Network segmentation

all

Isolate qBittorrent traffic to trusted networks only

🧯 If You Can't Patch

  • Restrict qBittorrent to trusted networks only using firewall rules
  • Monitor network traffic for unusual HTTPS certificate errors or unexpected connections

🔍 How to Verify

Check if Vulnerable:

Check qBittorrent version in Help → About. If version is below 5.0.1, the system is vulnerable.

Check Version:

qbittorrent --version

Verify Fix Applied:

Verify version is 5.0.1 or higher in Help → About. Test HTTPS connections to ensure certificate validation is working.

📡 Detection & Monitoring

Log Indicators:

  • Multiple HTTPS connection failures with certificate errors
  • Unexpected connections to non-standard HTTPS endpoints

Network Indicators:

  • HTTPS traffic with invalid certificates being accepted
  • Unusual outbound connections from qBittorrent

SIEM Query:

source="qbittorrent.log" AND ("certificate" OR "SSL" OR "TLS") AND ("error" OR "failed" OR "invalid")

📊 Metadata

CVE ID: CVE-2024-51774
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-295
Published: November 2, 2024
Last Updated: November 6, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-51774, you might also want to check these:

CVE-2025-68121 10.0

This vulnerability in Go's crypto/tls package allows TLS session resumption to succeed when it shoul...

Same vulnerability type (CWE-295)
CVE-2024-5261 9.8

LibreOfficeKit mode in LibreOffice versions before 24.2.4 disables TLS certificate verification when...

Same vulnerability type (CWE-295)
CVE-2023-51837 9.8

MeshCentral 1.1.16 fails to properly validate SSL certificates when establishing connections, allowi...

Same vulnerability type (CWE-295)