Page 1 of 1

Remote Code Execution vulnerability in ALL versions of qBittorrent before 5.0.1

Posted: 04 Nov 2024, 16:57
by Pe6yc
All qBittorrent users are urged to update to 5.0.1, downloading it directly from https://qbittorrent.org (not by using the built-in updater!) due to a RCE bug in all other allowed versions.

Due to a bad choice back in 2010, qBittorrent does not check ANY SSL/TLS certificates. Due to this and other flaws, it opens up a risk of a Man-In-The-Middle attack that is then used as a Remote Code Execution, with either minimal or no user interaction required.

Included in the bad processes are the update check AND download, RSS feeds, favicons, automatic Python download on Windows, and the Maxmind GeoIP database update.

More details from the released information here: https://sharpsec.run/rce-vulnerability-in-qbittorrent/

Update native qBittorent to 5.0.1 version please.

Re: Remote Code Execution vulnerability in ALL versions of qBittorrent before 5.0.1

Posted: 04 Nov 2024, 20:46
by TMzethar
Thank you for the reminder and we will continue to monitor and discuss plans.