QNAP Eleven Security Advisories on Resolved Vulnerabilities
Concerning QTS and QuTS hero NAS OS, HBS 3 Hybrid Backup Sync, Malware Remover, Hyper Data Protector, QuMagie, Download Station, File Station 5, Notification Center, Qsync Central, and QuLog Center
This is a Press Release edited by StorageNewsletter.com on November 11, 2025 at 2:01 pmQNAP Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products.
Use the following information and solutions to correct the security issues and vulnerabilities.
This advisory includes the following:
- Multiple Vulnerabilities in QTS and QuTS hero (PWN2OWN 2025) (ID: QSA-25-45)
- Multiple Vulnerabilities in HBS 3 Hybrid Backup Sync (PWN2ONW 2025) (ID: QSA-25-46)
- Vulnerability in Malware Remover (PWN2OWN 2025) (ID: QSA-25-47)
- Vulnerability in Hyper Data Protector (PWN2OWN 2025) (ID: QSA-25-48)
- Vulnerability in QuMagie (ID: QSA-25-33)
- Multiple Vulnerabilities in Download Station (ID: QSA-25-37)
- Multiple Vulnerabilities in File Station 5 (ID: QSA-25-38)
- Vulnerability in Notification Center (ID: QSA-25-40)
- Vulnerability in Qsync Central (ID: QSA-25-41)
- Multiple Vulnerabilities in QuLog Center (ID: QSA-25-42)
- Vulnerability in QuMagie (ID: QSA-25-43)
Multiple Vulnerabilities in QTS and QuTS hero (PWN2OWN 2025)
Security ID: QSA-25-45
Release date: November 8, 2025
CVE identifier: CVE-2025-62847 | CVE-2025-62848 | CVE-2025-62849 | ZDI-CAN-28353 | ZDI-CAN-28435 | ZDI-CAN-28436
Severity: Critical
Status: Resolved
Affected products: QTS 5.2.x, QuTS hero h5.2.x, QuTS hero h5.3.x
Summary
Multiple vulnerabilities have been reported to affect certain QNAP OSs versions.
The company have already fixed the vulnerabilities in the following versions:
|
Affected Product |
Fixed Version |
|
QTS 5.2.x |
QTS 5.2.7.3297 build 20251024 and later |
|
QuTS hero h5.2.x |
QuTS hero h5.2.7.3297 build 20251024 and later |
|
QuTS hero h5.3.x |
QuTS hero h5.3.1.3292 build 20251024 and later |
Multiple Vulnerabilities in HBS 3 Hybrid Backup Sync (PWN2ONW 2025)
Security ID: QSA-25-46
Release date: November 8, 2025
CVE identifier: CVE-2025-62840 | CVE-2025-62842 | ZDI-CAN-28426 | ZDI-CAN-28428
Severity: Critical
Status: Resolved
Affected products: HBS 3 Hybrid Backup Sync 26.1.x and earlier
Summary
Multiple vulnerabilities have been reported to affect HBS 3 Hybrid Backup Sync.
The company have already fixed the vulnerabilities in the following version:
|
Affected Product |
Fixed Version |
|
HBS 3 Hybrid Backup Sync 26.1.x and earlier |
HBS 3 Hybrid Backup Sync 26.2.0.938 and later |
Vulnerability in Malware Remover (PWN2OWN 2025)
Security ID: QSA-25-47
Release date: November 8, 2025
CVE identifier: CVE-2025-11837 | ZDI-CAN-28324
Severity: Critical
Status: Resolved
Affected products: Malware Remover 6.6.x
Summary
A vulnerability has been reported to affect Malware Remover.
The company have already fixed the vulnerability in the following version:
|
Affected Product |
Fixed Version |
|
Malware Remover 6.6.x |
Malware Remover 6.6.8.20251023 and later |
Vulnerability in Hyper Data Protector (PWN2OWN 2025)
Security ID: QSA-25-48
Release date: November 8, 2025
CVE identifier: CVE-2025-59389
Severity: Critical Status: Resolved
Affected products: Hyper Data Protector 2.2.x
Summary
A vulnerability has been reported to affect Hyper Data Protector.
The company have already fixed the vulnerability in the following version:
|
Affected Product |
Fixed Version |
|
Hyper Data Protector 2.2.x |
Hyper Data Protector 2.2.4.1 and later |
Vulnerability in QuMagie
Security ID: QSA-25-33
Release date: November 8, 2025
CVE identifier: CVE-2025-52425
Severity: Critical
Status: Resolved
Affected products: QuMagie 2.6.x
Summary
An SQL injection vulnerability has been reported to affect QuMagie. A remote attacker can exploit the vulnerability to execute unauthorized code or commands.
The company have already fixed the vulnerability in the following version:
|
Affected Product |
Fixed Version |
|
QuMagie 2.6.x |
QuMagie 2.7.0 and later |
Multiple Vulnerabilities in Download Station
Security ID: QSA-25-37
Release date: November 8, 2025
CVE identifier: CVE-2025-58463 | CVE-2025-58465
Severity: Important
Status: Resolved
Affected products: Download Station 5.10.x
Multiple vulnerabilities have been reported to affect Download Station:
- CVE-2025-58463: Relative path traversal vulnerability If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data.
- CVE-2025-58465: Cross-site scripting (XSS) vulnerability If a remote attacker gains acces to a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data.
The company have already fixed the vulnerabilities in the following versions:
|
Affected Product |
Fixed Version |
|
Download Station 5.10.x (for QTS 5.2.1) |
Download Station 5.10.0.305 (2025/09/16) and later |
|
Download Station 5.10.x (for QuTS hero h5.2.1) |
Download Station 5.10.0.304 (2025/09/08) and later |
Multiple Vulnerabilities in File Station 5
Security ID: QSA-25-38
Release date: November 8, 2025
CVE identifier: CVE-2025-47207 | CVE-2025-53408 | CVE-2025-53409 | CVE-2025-53410 | CVE-2025-53411 | CVE-2025-53412 | CVE-2025-53413 | CVE-2025-52865 | CVE-2025-57706
Severity: Moderate
Status: Resolved
Affected products: File Station 5 version 5.5.x
Summary
Multiple vulnerabilities have been reported to affect File Station 5:
- CVE-2025-53410: Allocation of resources without limits or throttling vulnerability If a remote attacker gains access to a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource.
- CVE-2025-53409, CVE-2025-53411, CVE-2025-53413: Allocation of resources without limits or throttling vulnerabilities If a remote attacker gains access to an administrator account, they can then exploit the vulnerabilities to prevent other systems, applications, or processes from accessing the same type of resource.
- CVE-2025-47207, CVE-2025-52865, CVE-2025-53408, CVE-2025-53412: NULL pointer dereference vulnerabilities If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to launch a denial-of-service (DoS) attack.
- CVE-2025-57706: Cross-site scripting (XSS) vulnerability If a remote attacker gains access to a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data.
The company have already fixed the vulnerabilities in the following version:
|
Affected Product |
Fixed Version |
|
File Station 5 version 5.5.x |
File Station 5 version 5.5.6.5018 and later |
Vulnerability in Notification Center
Security ID: QSA-25-40
Release date: November 8, 2025
CVE identifier: CVE-2025-54167
Severity: Moderate
Status: Resolved
Affected products: Notification Center 1.9.x, 2.1.x, 3.0.x
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect Notification Center. If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.
The company have already fixed the vulnerability in the following versions:
|
Affected Product |
Fixed Version |
|
Notification Center 1.9.x |
Notification Center 1.9.2.3163 and later |
|
Notification Center 2.1.x |
Notification Center 2.1.0.3443 and later |
|
Notification Center 3.0.x |
Notification Center 3.0.0.3466 and later |
Vulnerability in Qsync Central
Security ID: QSA-25-41
Release date: November 8, 2025
CVE identifier: CVE-2025-57712
Severity: Important
Status: Resolved
Affected products: Qsync Central 5.0.x
Summary
A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains access to a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data.
The company have already fixed the vulnerability in the following version:
|
Affected Product |
Fixed Version |
|
Qsync Central 5.0.x |
Qsync Central 5.0.0.3 (2025/08/28) and later |
Multiple Vulnerabilities in QuLog Center
Security ID: QSA-25-42
Release date: November 8, 2025
CVE identifier: CVE-2025-54168 | CVE-2025-58469
Severity: Moderate
Status: Resolved
Affected products: QuLog Center 1.8.x
Summary
Multiple vulnerabilities have been reported to affect QuLog Center:
- CVE-2025-54168: Cross-site scripting (XSS) vulnerability.If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.
- CVE-2025-58469: Cross-site request forgery (CSRF) vulnerability. A remote attacker can exploit the vulnerability to gain privileges or hijack user identities.
The company have already fixed the vulnerabilities in the following version:
|
Affected Product |
Fixed Version |
|
QuLog Center 1.8.x |
QuLog Center 1.8.2.923 (2025/08/27) and later |
Vulnerability in QuMagie
Security ID: QSA-25-43
Release date: November 8, 2025
CVE identifier: CVE-2025-58464
Severity: Important
Status: Resolved
Affected products: QuMagie 2.7.x
Summary A relative path traversal vulnerability has been reported to affect QuMagie. If exploited, a remote attacker can read the contents of unexpected files or system data.
The company have already fixed the vulnerability in the following version:
|
Affected Product |
Fixed Version |
|
QuMagie 2.7.x |
QuMagie 2.7.3 and later |
Learn more Contact: questions regarding this issue
Subscribe to our free daily newsletter
