QNAP: Five Security Advisories on Resolved Vulnerabilities
Concerning QVR Pro, Media Streaming add-on, QuNetSwitch, QuRouter, and QuFTP service
This is a Press Release edited by StorageNewsletter.com on March 27, 2026 at 2:00 pmQNAP Systems, Inc. had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Use the following information and solutions to correct the security issues and vulnerabilities.
This advisory includes the following:
- Vulnerability in QVR Pro (ID: QSA-26-07)
- Vulnerability in Media Streaming Add-on (ID: QSA-26-09)
- Multiple Vulnerabilities in QuNetSwitch (ADRA NDR) (ID: QSA-26-11)
- Multiple Vulnerabilities in QuRouter (PWN2OWN 2025) (ID: QSA-26-12)
- Vulnerability in QuFTP Service (ID: QSA-26-15)
Vulnerability in QVR Pro
Security ID: QSA-26-07
Release date: March 21, 2026
CVE identifier: CVE-2026-22898 | ZDI-CAN-28327
Severity: Critical
Status: Resolved
Affected products: QVR Pro 2.7.x
Summary
A missing authentication for critical function vulnerability has been reported to affect QVR Pro. If exploited, remote attackers can gain access to the system.
The company have already fixed the vulnerability in following version:
|
Affected Product |
Fixed Version |
|
QVR Pro 2.7.x |
QVR Pro 2.7.4.1485 and later |
Vulnerability in Media Streaming Add-on
Security ID: QSA-26-09
Release date: March 21, 2026
CVE identifier: CVE-2025-59383
Severity: Moderate
Status: Resolved
Affected products: Media Streaming Add-on 500.1.x
Summary
A buffer overflow vulnerability has been reported to affect Media Streaming Add-On. The remote attackers can then exploit the vulnerability to modify memory or crash processes.
The company have already fixed the vulnerability in following version:
|
Affected Product |
Fixed Version |
|
Media Streaming Add-on 500.1.x |
Media Streaming Add-on 500.1.1 and later |
Multiple Vulnerabilities in QuNetSwitch (ADRA NDR)
Security ID: QSA-26-11
Release date: March 21, 2026
CVE identifier: CVE-2026-22897 | CVE-2026-22900 | CVE-2026-22901 | CVE-2026-22902
Severity: Critical
Status: Resolved
Affected products: QuNetSwitch 2.0.x
Summary
Multiple vulnerabilities have been reported to affect QuNetSwitch.
-
CVE-2026-22897: Remote attackers can exploit the command injection vulnerability to execute arbitrary commands.
-
CVE-2026-22900: Remote attackers can exploit the use of hard-coded credentials vulnerability to gain unauthorized access.
-
CVE-2026-22901: If a remote attacker gains a user account, they can then exploit the command injection vulnerability to execute arbitrary commands.
-
CVE-2026-22902: If a local attacker gains an administrator account, they can then exploit the command injection vulnerability to execute arbitrary commands.
The company have already fixed these vulnerabilities in following versions:
|
Affected Product |
Fixed Version |
|
QuNetSwitch 2.0.x |
QuNetSwitch 2.0.4.0415 and later |
|
QuNetSwitch 2.0.x |
QuNetSwitch 2.0.5.0906 and later |
Multiple Vulnerabilities in QuRouter (PWN2OWN 2025)
Security ID: QSA-26-12
Release date: March 21, 2026
CVE identifier: CVE-2025-62843 | ZDI-CAN-28371 | CVE-2025-62844 | ZDI-CAN-28422 | CVE-2025-62846 | ZDI-CAN-28424 | CVE-2025-62845 | ZDI-CAN-28423
Severity: Critical
Status: Resolved
Affected products: QuRouter 2.6.x
Summary
Multiple vulnerabilities have been reported to affect QHora.
-
CVE-2025-62843: If an attacker gains physical access, they can then exploit the improper restriction of communication channel to intended endpoints vulnerability to gain the privileges that were intended for the original endpoint.
-
CVE-2025-62844: If an attacker gains local network access, they can then exploit the weak authentication vulnerability to gain sensitive information.
-
CVE-2025-62846: If a local attacker gains an administrator account, they can then exploit the SQL injection vulnerability to execute unauthorized code or commands.
-
CVE-2025-62845: If a local attacker gains an administrator account, they can then exploit the improper neutralization of escape, meta, or control sequences vulnerability to cause unexpected behavior.
The company have already fixed these vulnerabilities in following version:
|
Affected Product |
Fixed Version |
|
QuRouter 2.6.x |
QuRouter 2.6.3.009 and later |
Vulnerability in QuFTP Service
Security ID: QSA-26-15
Release date: March 21, 2026
CVE identifier: CVE-2026-22895
Severity: Moderate
Status: Resolved
Affected products: QuFTP Service 1.4.x, QuFTP Service 1.5.x, QuFTP Service 1.6.x
Summary
A cross-site scripting (XSS) vulnerability has been reported to affect QuFTP Service. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data.
The company have already fixed the vulnerability in following versions:
|
Affected Product |
Fixed Version |
|
QuFTP Service 1.4.x |
QuFTP Service 1.4.3 and later |
|
QuFTP Service 1.5.x |
QuFTP Service 1.5.2 and later |
|
QuFTP Service 1.6.x |
QuFTP Service 1.6.2 and later |
Contact: Questions regarding this issue
Subscribe to our free daily newsletter
