QNAP: Seven Security Advisories on Resolved Vulnerabilities
Concerning QuMagie, QTS and QuTS hero NAS OSs, License Center, MARS (Multi-Application Recovery Service), Qfiling, Qfinder Pro, Qsync, and QVPN Device Client (for Mac)
This is a Press Release edited by StorageNewsletter.com on January 5, 2026 at 2:00 pmQNAP Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products.
Use the following information and solutions to correct the security issues and vulnerabilities.
This advisory includes the following:
- Vulnerability in QuMagie (ID: QSA-25-49)
- Multiple Vulnerabilities in QTS and QuTS hero (ID: QSA-25-50)
- Multiple Vulnerabilities in QTS and QuTS hero (ID: QSA-25-51)
- Multiple Vulnerabilities in License Center (ID: QSA-25-52)
- Vulnerability in MARS (Multi-Application Recovery Service) (ID: QSA-25-53)
- Vulnerability in Qfiling (ID: QSA-25-54)
- Vulnerability in Qfinder Pro, Qsync, and QVPN Device Client (for Mac) (ID: QSA-25-55)
Vulnerability in QuMagie
Security ID: QSA-25-49
Release date: January 3, 2026
CVE identifier: CVE-2025-62857
Severity: Moderate
Status: Resolved
Affected products: QuMagie 2.x
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. If exploited, remote attackers could bypass security mechanisms or read application data.
The company have already fixed the vulnerability in following version:
|
Affected Product |
Fixed Version |
|
QuMagie 2.x |
QuMagie 2.8.1 and later |
Multiple Vulnerabilities in QTS and QuTS hero
Security ID: QSA-25-50
Release date: January 3, 2026
CVE identifier: CVE-2025-44013, CVE-2025-47208, CVE-2025-52426, CVE-2025-52430, CVE-2025-52431, CVE-2025-52863, CVE-2025-52864, CVE-2025-52872, CVE-2025-53405, CVE-2025-53414, CVE-2025-53589, CVE-2025-53590, CVE-2025-53591, CVE-2025-53592, CVE-2025-53593, CVE-2025-53596
Severity: Moderate
Status: Resolved
Affected products: QTS 5.2.x; QuTS hero h5.2.x, h5.3.x
Summary
Multiple vulnerabilities have been reported to affect several QNAP OSs versions:
-
CVE-2025-44013, CVE-2025-52426, CVE-2025-52430, CVE-2025-52431, CVE-2025-53405, CVE-2025-53414, CVE-2025-53589, CVE-2025-53590, CVE-2025-53592, CVE-2025-53596: NULL pointer dereference vulnrabilities
If a remote attacker gains access to an administrator account, they can then exploit the vulnerabilities to launch a denial-of-service (DoS) attack. -
CVE-2025-52863, CVE-2025-52864, CVE-2025-52872, CVE-2025-53593: Buffer overflow vulnerabilities
If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to modify memory or crash processes. -
CVE-2025-53591: Externally-controlled format string vulnerability
If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. -
CVE-2025-54164, CVE-2025-54165, CVE-2025-54166: Out-of-bounds read vulnerabilities
If a remote attacker gains access to an administrator account, they can then exploit the vulnerabilities to obtain secret data. -
CVE-2025-47208, CVE-2025-57705: Allocation of resources without limits or throttling vulnerabilities
If a remote attacker gains access to an administrator account, they can then exploit the vulnerabilities to prevent other systems, applications, or processes from accessing the same type of resource.
The company have already fixed the vulnerabilities in following versions:
|
Affected Product |
Fixed Version |
|
QTS 5.2.x |
QTS 5.2.7.3256 build 20250913 and later |
|
QuTS hero h5.2.x |
QuTS hero h5.2.7.3256 build 20250913 and later |
|
QuTS hero h5.3.x |
QuTS hero h5.3.1.3250 build 20250912 and later |
Multiple Vulnerabilities in QTS and QuTS hero
Security ID: QSA-25-51
Release date: January 3, 2026
CVE identifier: CVE-2025-9110, CVE-2025-48721, CVE-2025-59380, CVE-2025-59381, CVE-2025-62852
Severity: Moderate
Status: Resolved
Affected products: QTS 5.2.x; QuTS hero h5.2.x, h5.3.x
Summary
Multiple vulnerabilities have been reported to affect several QNAP OSs versions:
-
CVE-2025-9110: Exposure of sensitive system information to an unauthorized control sphere vulnerability
If exploited, remote attackers can read application data. -
CVE-2025-48721, CVE-2025-62852: Buffer overflow vulnerabilities
If a remote attacker gains access to an administrator account, they can then exploit the vulnerabilities to modify memory or crash processes. -
CVE-2025-59380, CVE-2025-59381: Path traversal vulnerabilities
If a remote attacker gains access to an administrator account, they can then exploit the vulnerabilities to read the contents of unexpected files or system data.
The company have already fixed the vulnerabilities in following versions:
|
Affected Product |
Fixed Version |
|
QTS 5.2.x |
QTS 5.2.8.3332 build 20251128 and later |
|
QuTS hero h5.2.x |
QuTS hero h5.2.8.3321 build 20251117 and later |
|
QuTS hero h5.3.x |
QuTS hero h5.3.1.3250 build 20250912 and later |
Multiple Vulnerabilities in License Center
Security ID: QSA-25-52
Release date: January 3, 2026
CVE identifier: CVE-2025-52871, CVE-2025-53597
Severity: Moderate
Status: Resolved
Affected products: License Center 2.0.x
Summary
Multiple vulnerabilities have been reported to affect License Center:
-
CVE-2025-52871: Out-of-bounds read vulnerability
If a remote attacker gains access to a user account, they can then exploit the vulnerability to obtain secret data. -
CVE-2025-53597: Buffer overflow vulnerability
If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to modify memory or crash processes.
The company have already fixed the vulnerabilities in following version:
|
Affected Product |
Fixed Version |
|
License Center 2.0.x |
License Center 2.0.36 and later |
Vulnerability in MARS (Multi-Application Recovery Service)
Security ID: QSA-25-53
Release date: January 3, 2026
CVE identifier: CVE-2025-59387
Severity: Important
Status: Resolved
Affected products: MARS (Multi-Application Recovery Service) 1.2.x
Summary
An SQL injection vulnerability has been reported to affect MARS (Multi-Application Recovery Service). If exploited, a remote attacker can execute unauthorized code or commands.
The company have already fixed the vulnerability in following version:
|
Affected Product |
Fixed Version |
|
MARS (Multi-Application Recovery Service) 1.2.x |
MARS (Multi-Application Recovery Service) 1.2.1.1686 and later |
Note: Starting from version 1.3.x, the application has been renamed to HDP for WordPress (MARS).
Vulnerability in Qfiling
Security ID: QSA-25-54
Release date: January 3, 2026
CVE identifier: CVE-2025-59384
Severity: Important
Status: Resolved
Affected products: Qfiling 3.13.x
Summary
A path traversal vulnerability has been reported to affect Qfiling. If exploited, a remote attacker can read the contents of unexpected files or system data.
The company have already fixed the vulnerability in following version:
|
Affected Product |
Fixed Version |
|
Qfiling 3.13.x |
Qfiling 3.13.1 and later |
Vulnerability in Qfinder Pro, Qsync, and QVPN Device Client (for Mac)
Security ID: QSA-25-55
Release date: January 3, 2026
CVE identifier: CVE-2025-53594
Severity: Moderate
Status: Resolved
Affected products: Qfinder Pro (for Mac) 7.13.x, Qsync (for Mac) 5.1.x, QVPN Device Client (for Mac) 2.2.x
Summary
A path traversal vulnerability has been reported to affect several utilities. If a local attacker gains access to a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data.
The company have already fixed the vulnerability in following utilities and versions:
|
Affected Product |
Fixed Version |
|
Qfinder Pro (for Mac) 7.13.x |
Qfinder Pro (for Mac) 7.13.0 and later |
|
Qsync (for Mac) 5.1.x |
Qsync (for Mac) 5.1.5 and later |
|
QVPN Device Client (for Mac) 2.2.x |
QVPN Device Client (for Mac) 2.2.8 and later |
Subscribe to our free daily newsletter
