QNAP Six Security Advisories on Multiple Resolved Vulnerabilities
Concerning QNAP Authenticator, Video Station App, Qsync Central, QTS and QuTS hero NAS OSs, and NetBak Replicator
This is a Press Release edited by StorageNewsletter.com on October 6, 2025 at 2:00 pmQNAP Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of the company’s products.
Use the following information and solutions to correct the security issues and vulnerabilities.
This advisory includes following:
- Vulnerability in QNAP Authenticator (ID: QSA-25-30)
- Vulnerability in Video Station (ID: QSA-25-32)
- Multiple Vulnerabilities in Qsync Central (ID: QSA-25-34)
- Multiple Vulnerabilities in Qsync Central (ID: QSA-25-35)
- Multiple Vulnerabilities in QTS and QuTS hero (ID: QSA-25-36)
- Vulnerability in NetBak Replicator (ID: QSA-25-39)
Vulnerability in QNAP Authenticator
Security ID: QSA-25-30
Release date: October 4, 2025
CVE identifier: CVE-2025-54153
Severity: Moderate
Status: Resolved
Affected products: QNAP Authenticator 1.3.x
Summary
An improper authentication vulnerability has been reported to affect QNAP Authenticator. If an attacker gains physical access to your device, they can then exploit the vulnerability to compromise the security of the system.
The company have already fixed the vulnerability in following version:
|
Affected Product |
Fixed Version |
|
QNAP Authenticator 1.3.x |
QNAP Authenticator 1.3.1.1227 and later |
Vulnerability in Video Station
Security ID: QSA-25-32
Release date: October 4, 2025
CVE identifier: CVE-2024-56804
Severity: Important
Status: Resolved
Affected products: Video Station 5.8.x
Summary
An SQL injection vulnerability has been reported to affect Video Station. If a remote attacker gains access to a user account, they can then exploit the vulnerability to execute unauthorized code or commands.
The company have already fixed the vulnerability in following version:
|
Affected Product |
Fixed Version |
|
Video Station 5.8.x |
Video Station 5.8.4 and later |
Multiple Vulnerabilities in Qsync Central
Security ID: QSA-25-34
Release date: October 4, 2025
CVE identifier: CVE-2025-33034 | CVE-2025-33039 | CVE-2025-33040 | CVE-2025-44006 | CVE-2025-44007 | CVE-2025-44008 | CVE-2025-44009 | CVE-2025-44010 | CVE-2025-44011 | CVE-2025-44014
Severity: Moderate
Status: Resolved
Affected products: Qsync Central 4.x
Summary
Multiple vulnerabilities have been reported to affect Qsync Central:
- CVE-2025-33034: Path traversal vulnerability
If a remote attacker gains access to a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. - CVE-2025-33039, CVE-2025-33040, CVE-2025-44006, CVE-2025-44007: Allocation of resources without limits or throttling vulnerabilities
If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to prevent other systems, applications, or processes from accessing the same type of resource. - CVE-2025-44008, CVE-2025-44009, CVE-2025-44010, CVE-2025-44011: NULL pointer dereference vulnerabilities
If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to launch a denial-of-service (DoS) attack. - CVE-2025-44014: Out-of-bounds write vulnerability
If a remote attacker gains access to a user account, they can then exploit the vulnerability to modify or corrupt memory.
The company have already fixed the vulnerabilities in following version:
|
Affected Product |
Fixed Version |
|
Qsync Central 4.x |
Qsync Central 5.0.0.1 (2025/07/09) and later |
Multiple Vulnerabilities in Qsync Central
Security ID: QSA-25-35
Release date: October 4, 2025 CVE identifier: CVE-2025-44012 | CVE-2025-47210 | CVE-2025-52867 | CVE-2025-53595 | CVE-2025-54153
Severity: Important
Status: Resolved
Affected products: Qsync Central 5.0.0
Summary
Multiple vulnerabilities have been reported to affect Qsync Central:
- CVE-2025-44012: Allocation of resources without limits or throttling vulnerability
If a remote attacker gains access to a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. - CVE-2025-47210: NULL pointer dereference vulnerability
If a remote attacker gains access to a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. - CVE-2025-52867: Uncontrolled resource consumption vulnerability
If a remote attacker gains access to a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. - CVE-2025-53595, CVE-2025-54153: SQL injection vulnerabilities
If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to execute unauthorized code or commands.
The company have already fixed the vulnerabilities in following version:
|
Affected Product |
Fixed Version |
|
Qsync Central 5.0.0 |
Qsync Central 5.0.0.2 (2025/07/31) and later |
Multiple Vulnerabilities in QTS and QuTS hero
Security ID: QSA-25-36
Release date: October 4, 2025
CVE identifier: CVE-2025-47211 | CVE-2025-47212 | CVE-2025-47213 | CVE-2025-47214 | CVE-2025-48726 | CVE-2025-48727 | CVE-2025-48728 | CVE-2025-48729 | CVE-2025-48730 | CVE-2025-52424 | CVE-2025-52427 | CVE-2025-52428 | CVE-2025-52429 | CVE-2025-52432 | …
Severity: Moderate
Status: Resolved
Affected products: QTS 5.2.x, QuTS hero h5.2.x
Summary
Multiple vulnerabilities have been reported to affect certain QNAP OS versions:
- CVE-2025-47211: Path traversal vulnerability
If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. - CVE-2025-47212: Command injection vulnerability
If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to execute arbitrary commands. - CVE-2025-47213, CVE-2025-47214, CVE-2025-48726, CVE-2025-48727, CVE-2025-48728, CVE-2025-48729, CVE-2025-52424, CVE-2025-52427, CVE-2025-52428, CVE-2025-52432, CVE-2025-52433, CVE-2025-52853, CVE-2025-52854, CVE-2025-52855, CVE-2025-52857, CVE-2025-52858, CVE-2025-52859, CVE-2025-52860, CVE-2025-52862, CVE-2025-52866: NULL pointer dereference vulnerabilities
If a remote attacker gains access to an administrator account, they can then exploit the vulnerabilities to launch a denial-of-service (DoS) attack. - CVE-2025-48730, CVE-2025-52429, CVE-2025-53406, CVE-2025-53407: Use of externally-controlled format string vulnerabilities
If a remote attacker gains access to an administrator account, they can then exploit the vulnerabilities to obtain secret data or modify memory.
The company have already fixed the vulnerabilities in following versions:
|
Affected Product |
Fixed Version |
|
QTS 5.2.x |
QTS 5.2.6.3195 build 20250715 and later |
|
QuTS hero h5.2.x |
QuTS hero h5.2.6.3195 build 20250715 and later |
Vulnerability in NetBak Replicator
Security ID: QSA-25-39
Release date: October 4, 2025
CVE identifier: CVE-2025-57714
Severity: Important
Status: Resolved
Affected product: NetBak Replicator 4.5.x
Summary
An unquoted search path or element vulnerability has been reported to affect NetBak Replicator. If a local attacker gains access to a user account, they can then exploit the vulnerability to execute unauthorized code or commands.
The company have already fixed the vulnerability in following version:
|
Affected Product |
Fixed Version |
|
NetBak Replicator 4.5.x |
NetBak Replicator 4.5.15.0807 and later |
Support: Questions regarding this issue
Subscribe to our free daily newsletter
