CVE-2024-56804 – This SQL injection vulnerability in QNAP Video ... (How to Fix)

📋 TL;DR

This SQL injection vulnerability in QNAP Video Station allows authenticated attackers to execute arbitrary SQL commands. Attackers with user accounts can potentially execute unauthorized code or commands on affected systems. Organizations running vulnerable versions of Video Station are at risk.

💻 Affected Systems

Products:

QNAP Video Station

Versions: Versions before 5.8.4

Operating Systems: QTS, QuTS hero

Default Config Vulnerable: ⚠️ Yes

Notes: Requires attacker to have a user account on the system

📦 What is this software?

Video Station by Qnap

View all CVEs affecting Video Station →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise leading to data theft, ransomware deployment, or complete system takeover

🟠

Likely Case

Database information disclosure, privilege escalation, or limited command execution

🟢

If Mitigated

Limited impact due to network segmentation and proper authentication controls

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

SQL injection vulnerabilities are typically easy to exploit once discovered

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Video Station 5.8.4 and later

Vendor Advisory: https://www.qnap.com/en/security-advisory/qsa-25-32

Restart Required: Yes

Instructions:

1. Log into QNAP App Center
2. Check for updates to Video Station
3. Update to version 5.8.4 or later
4. Restart Video Station service

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to Video Station to trusted networks only

Account Management

all

Implement strong password policies and review user accounts

🧯 If You Can't Patch

Disable Video Station service if not required
Implement strict network access controls and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Video Station version in QNAP App Center or via SSH: cat /etc/config/video_station.conf | grep version

Check Version:

cat /etc/config/video_station.conf | grep version

Verify Fix Applied:

Confirm Video Station version is 5.8.4 or higher

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed authentication attempts followed by SQL-like patterns

Network Indicators:

Unusual database connections from Video Station
SQL error messages in HTTP responses

SIEM Query:

source="video_station.log" AND ("sql" OR "database" OR "query") AND ("error" OR "exception")

📊 Metadata

CVE ID: CVE-2024-56804

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.16% exploit probability (36.3th percentile)

Published: October 3, 2025

Last Updated: October 7, 2025

🔗 References

https://www.qnap.com/en/security-advisory/qsa-25-32 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-56804, you might also want to check these: