QNAP: Seven Security Advisories on Resolved Vunerabilities

QNAP Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products.

Use the following information and solutions to correct the security issues and vulnerabilities.

This advisory includes following:

• Multiple Vulnerabilities in Media Streaming add-on (ID: QSA-25-57)
• Multiple Vulnerabilities in Qsync Central (ID: QSA-26-02)
• Multiple Vulnerabilities in File Station 5 (ID: QSA-26-03)
• Vulnerabilities in Apache (ID: QSA-26-04)
• Multiple Vulnerabilities in QTS and QuTS hero (ID: QSA-26-05)
• Vulnerabilities in Samba (ID: QSA-26-06)
• Multiple Vulnerabilities in QuTS hero (ID: QSA-26-08)

Multiple Vulnerabilities in Media Streaming add-on      
Security ID: QSA-25-57
Release date: February 12, 2026
CVE identifier: CVE-2024-56807 | CVE-2024-56808
Severity: Moderate
Status: Resolved
Affected products: Media Streaming add-on 500.1.x

Summary
Multiple vulnerabilities have been reported to affect Media Streaming add-on:

• CVE-2024-56807: Out-of-bounds read vulnerability
  If an attacker gains access to the local network, they can then exploit the vulnerability to obtain secret data.

• CVE-2024-56808: Command injection vulnerability
  If an attacker gains access to the local network and a user account, they can then exploit the vulnerability to execute arbitrary commands

The company have already fixed the vulnerabilities in following version:

More information

Multiple Vulnerabilities in Qsync Central     
Security ID: QSA-26-02
Release date: February 12, 2026
CVE identifier: CVE-2025-30269 | CVE-2025-30276 | CVE-2025-47209 | CVE-2025-48722 | CVE-2025-48723 | CVE-2025-48724 | CVE-2025-52868 | CVE-2025-52869 | CVE-2025-52870 | CVE-2025-53598 | CVE-2025-54146 | CVE-2025-54147 | CVE-2025-54148 | CVE-2025-54149 | CVE-2025-54150..
Severity: Moderate
Status: Resolved
Affected products: Qsync Central 5.0.x

Summary
Multiple vulnerabilities have been reported to affect Qsync Central:

• CVE-2025-30269: Use of externally-controlled format string vulnerability
  If a remote attacker gains access to a user account, they can then exploit the vulnerability to obtain secret data or modify memory

• CVE-2025-54170: Out-of-bounds read vulnerability
  If a remote attacker gains access to a user account, they can then exploit the vulnerability to obtain secret data

• CVE-2025-30276: Out-of-bounds write vulnerability
  If a remote attacker gains access to a user account, they can then exploit the vulnerability to modify or corrupt memory

• CVE-2025-47209, CVE-2025-48722, CVE-2025-53598, CVE-2025-54146, CVE-2025-54147, CVE-2025-54148, CVE-2025-58472, CVE-2025-30266: NULL pointer dereference vulnerabilities
  If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to launch a denial-of-service (DoS) attack

• CVE-2025-48723, CVE-2025-48724, CVE-2025-52868, CVE-2025-52869, CVE-2025-52870, CVE-2025-57709: Buffer overflow vulnerabilities
  If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to modify memory or crash processes

• CVE-2025-54149, CVE-2025-54150, CVE-2025-54151: Uncontrolled resource consumption vulnerabilities
  If a local attacker gains access to a user account, they can then exploit the vulnerabilities to launch a denial-of-service (DoS) attack

• CVE-2025-54152: Out-of-range pointer offset vulnerability
  If a remote attacker gains access to a user account, they can then exploit the vulnerability to read sensitive portions of memory

• CVE-2025-57708, CVE-2025-57710, CVE-2025-57711, CVE-2025-58471: Allocation of resources without limits or throttling vulnerabilities
  If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to prevent other systems, applications, or processes from accessing the same type of resource

• CVE-2025-58467, CVE-2025-58470, CVE-2025-68406: Relative path traversal vulnerabilities
  If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to read the contents of unexpected files or system data

The company have already fixed the vulnerabilities in following version:

More information

Multiple Vulnerabilities in File Station 5          
Security ID: QSA-26-03
Release date: February 12, 2026
CVE identifier: CVE-2025-54155 | CVE-2025-54161 | CVE-2025-54162 | CVE-2025-54163 | CVE-2025-54169 | CVE-2025-57707 | CVE-2025-57713 | CVE-2025-62853 | CVE-2025-62854 | CVE-2025-62855 | CVE-2025-62856 | CVE-2025-66278 | CVE-2026-22894
Severity: Important
Status: Resolved
Affected products: File Station 5 version 5.5.x

Summary
Multiple vulnerabilities have been reported to affect File Station 5:

• CVE-2025-54155, CVE-2025-54161: Allocation of resources without limits or throttling vulnerability
  If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource

• CVE-2025-54162: Path traversal vulnerability
  If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data

• CVE-2025-62853, CVE-2025-66278, CVE-2026-22894: Path traversal vulnerability
  If a remote attacker gains access to a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data

• CVE-2025-62855, CVE-2025-62856: Path traversal vulnerability
  If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data

• CVE-2025-54163: NULL pointer dereference vulnerability
  If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack

• CVE-2025-54169: Out-of-bounds read vulnerability
  If a remote attacker gains access to a user account, they can then exploit the vulnerability to obtain secret data

• CVE-2025-57707: Improper neutralization of directives in statically saved code (static code injection) vulnerability
  If a remote attacker gains access to a user account, they can then exploit the vulnerability to access restricted data or files

• CVE-2025-57713: Weak authentication vulnerability
  If exploited, remote attackers can gain sensitive information

• CVE-2025-62854: Uncontrolled resource consumption vulnerability
  If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack

The company have already fixed the vulnerabilities in following version:

More information

Vulnerabilities in Apache    
Security ID: QSA-26-04
Release date: February 12, 2026
CVE identifier: CVE-2024-42516 | CVE-2024-43204 | CVE-2024-43394 | CVE-2024-47252 | CVE-2025-23048 | CVE-2025-49630 | CVE-2025-49812 | CVE-2025-53020 | CVE-2025-54090
Severity: Moderate
Status: Resolved
Affected products: QTS 5.2.x; QuTS hero h5.2.x, h5.3.x

Summary
Multiple vulnerabilities have been reported in Apache, affecting certain QNAP OSs versions.

The company have already fixed the vulnerabilities in following versions:

More information 

Multiple Vulnerabilities in QTS and QuTS hero    
Security ID: QSA-26-05
Release date: February 12, 2026
CVE identifier: CVE-2025-47205 | CVE-2025-58466 | CVE-2025-66277
Severity: Important
Status: Resolved
Affected products: QTS 5.2.x, QuTS hero h5.2.x

Summary
Multiple vulnerabilities has been reported to affect certain QNAP OSs versions:

• CVE-2025-58466: Use of uninitialized variable vulnerability
  If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to cause denial-of-service (DoS) conditions or modify control flow in unexpected ways

• CVE-2025-47205: NULL pointer dereference vulnerability
  If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack

• CVE-2025-66277: Link following vulnerability
  If exploited, remote attackers can traverse the file system to unintended locations

The company have already fixed the vulnerabilities in following versions:

More information

Vulnerabilities in Samba    
Security ID: QSA-26-06
Release date: February 12, 2026
CVE identifier: CVE-2025-10230 | CVE-2025-9640
Severity: Moderate
Status: Resolved
Affected products: QTS 5.2.x; QuTS hero h5.2.x, h5.3.x

Summary
Multiple vulnerabilities have been reported in Samba, affecting certain QNAP OSs versions.

The company have already fixed the vulnerabilities in following versions:

More information

Multiple Vulnerabilities in QuTS hero    
Security ID: QSA-26-08
Release date: February 12, 2026
CVE identifier: CVE-2025-48725 | CVE-2025-59386 | CVE-2025-66274
Severity: Low
Status: Resolved
Affected products: QuTS hero h5.3.x

Summary
Multiple vulnerabilities have been reported to affect QuTS hero:

• CVE-2025-48725: Buffer overflow vulnerability
  If a remote attacker gains access to a user account, they can then exploit the vulnerability to modify memory or crash processes.

• CVE-2025-66274, CVE-2025-59386: NULL pointer dereference vulnerability
  If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.

The company have already fixed the vulnerabilities in following version:

More information

Questions regarding this issue