CVE-2024-50387

ENISA EUVD: EUVD-2024-45183 ↗

✓ Confirmed 0-Day

Triaged: March 5, 2026 4 articles Published: 2024-12-06

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗

EPSS Score

Source: FIRST.org · 2026-05-23

23.45%

probability

This CVE has a 23.45% probability of being exploited in the next 30 days.

0% Top 96.0th percentile of all CVEs 100%

CVSS v4.0 NEW

Source: VulnerabilityLookup (CIRCL)

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Vulnerable System Confidentiality Impact

High

Vulnerable System Integrity Impact

High

Vulnerable System Availability Impact

High

Subsequent System Confidentiality Impact

High

Subsequent System Integrity Impact

High

Subsequent System Availability Impact

High

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CVSS v3.1

Source: NVD

9.8

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

A SQL injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers to inject malicious code. We have already fixed the vulnerability in the following version: SMB Service 4.15.002 and later SMB Service h4.15.002 and later

Affected Products

QNAP Systems Inc.

SMB Service

4.15.x h4.15.x

qnap

smb service

QNAP Systems Inc.

SMB Service

4.15.x <4.15.002

QNAP Systems Inc.

SMB Service

h4.15.x <h4.15.002

Attack Intelligence

CWE-707 · Improper Neutralization CWE-74 · Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-89 · SQL Injection CWE-943 · Improper Neutralization of Special Elements in Data Query Logic

https://www.qnap.com/en/security-advisory/qsa-24-42

Signal Intelligence

Confidenceⓘ

92%

EPSS 23.45%

CVSS v4.0 10

CVSS v3.1 9.8

Mentions 4

Last Seen Nov 07, 2025

CNA Information

CNA Assigner

qnap

CNA Title

SMB Service

Analyst Note

CVE-2024-50387 is explicitly named as a zero-day exploited at Pwn2Own 2024, with QNAP issuing patches (SMB Service 4.15.002+) in response to active exploitation. Multiple authoritative sources confirm zero-day status and in-the-wild exploitation at the security conference, with patch availability coinciding with the disclosure.

Threat Actors 2

Hacking Team

apt_group 🇮🇹 IT

Mana Team

apt_group 🇨🇳 CN

Triage Info

Decided atMar 05, 2026

Published DateDec 06, 2024