QNAP Security Advisory










If this page does not render correctly, [1] click herefor the online version














[2]







QNAP Security Advisory






Bulletin ID: QSA-25-49, QSA-25-50, QSA-25-51, QSA-25-52, QSA-25-53, QSA-25-54, QSA-25-55















Taipei, Taiwan, January 3, 2026 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.

This advisory includes the following:
Vulnerability in QuMagie (ID: QSA-25-49)
Multiple Vulnerabilities in QTS and QuTS hero (ID: QSA-25-50)
Multiple Vulnerabilities in QTS and QuTS hero (ID: QSA-25-51)
Multiple Vulnerabilities in License Center (ID: QSA-25-52)
Vulnerability in MARS (Multi-Application Recovery Service) (ID: QSA-25-53)
Vulnerability in Qfiling (ID: QSA-25-54)
Vulnerability in Qfinder Pro, Qsync, and QVPN Device Client (for Mac) (ID: QSA-25-55)



Vulnerability in QuMagie
Security ID: QSA-25-49
Release date: January 3, 2026

CVE identifier: CVE-2025-62857

Severity: Moderate

Status: Resolved

Affected products: QuMagie 2.x
Summary


A cross-site scripting (XSS) vulnerability has been reported to affect QuMagie. If exploited, remote attackers could bypass security mechanisms or read application data.

We have already fixed the vulnerability in the following version:



Affected Product
Fixed Version






QuMagie 2.x
QuMagie 2.8.1 and later





<<Learn more>>




Multiple Vulnerabilities in QTS and QuTS hero
Security ID: QSA-25-50

Release date: January 3, 2026

CVE identifier: CVE-2025-44013, CVE-2025-47208, CVE-2025-52426, CVE-2025-52430, CVE-2025-52431, CVE-2025-52863, CVE-2025-52864, CVE-2025-52872, CVE-2025-53405, CVE-2025-53414, CVE-2025-53589, CVE-2025-53590, CVE-2025-53591, CVE-2025-53592, CVE-2025-53593, CVE-2025-53596

Severity: Moderate

Status: Resolved

Affected products: QTS 5.2.x; QuTS hero h5.2.x, h5.3.x
Summary

Multiple vulnerabilities have been reported to affect several QNAP operating system versions:

CVE-2025-44013, CVE-2025-52426, CVE-2025-52430, CVE-2025-52431, CVE-2025-53405, CVE-2025-53414, CVE-2025-53589, CVE-2025-53590, CVE-2025-53592, CVE-2025-53596: NULL pointer dereference vulnrabilities

If a remote attacker gains access to an administrator account, they can then exploit the vulnerabilities to launch a denial-of-service (DoS) attack.
CVE-2025-52863, CVE-2025-52864, CVE-2025-52872, CVE-2025-53593: Buffer overflow vulnerabilities

If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to modify memory or crash processes.
CVE-2025-53591: Externally-controlled format string vulnerability

If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory.
CVE-2025-54164, CVE-2025-54165, CVE-2025-54166: Out-of-bounds read vulnerabilities

If a remote attacker gains access to an administrator account, they can then exploit the vulnerabilities to obtain secret data.
CVE-2025-47208, CVE-2025-57705: Allocation of resources without limits or throttling vulnerabilities

If a remote attacker gains access to an administrator account, they can then exploit the vulnerabilities to prevent other systems, applications, or processes from accessing the same type of resource.

We have already fixed the vulnerabilities in the following versions:



Affected Product
Fixed Version






QTS 5.2.x
QTS 5.2.7.3256 build 20250913 and later




QuTS hero h5.2.x
QuTS hero h5.2.7.3256 build 20250913 and later




QuTS hero h5.3.x
QuTS hero h5.3.1.3250 build 20250912 and later




<<Learn more>>



Multiple Vulnerabilities in QTS and QuTS hero
Security ID: QSA-25-51

Release date: January 3, 2026

CVE identifier: CVE-2025-9110, CVE-2025-48721, CVE-2025-59380, CVE-2025-59381, CVE-2025-62852

Severity: Moderate

Status: Resolved

Affected products: QTS 5.2.x; QuTS hero h5.2.x, h5.3.x
Summary

Multiple vulnerabilities have been reported to affect several QNAP operating system versions:

CVE-2025-9110: Exposure of sensitive system information to an unauthorized control sphere vulnerability

If exploited, remote attackers can read application data.
CVE-2025-48721, CVE-2025-62852: Buffer overflow vulnerabilities

If a remote attacker gains access to an administrator account, they can then exploit the vulnerabilities to modify memory or crash processes.
CVE-2025-59380, CVE-2025-59381: Path traversal vulnerabilities

If a remote attacker gains access to an administrator account, they can then exploit the vulnerabilities to read the contents of unexpected files or system data.

We have already fixed the vulnerabilities in the following versions:



Affected Product
Fixed Version






QTS 5.2.x
QTS 5.2.8.3332 build 20251128 and later




QuTS hero h5.2.x
QuTS hero h5.2.8.3321 build 20251117 and later




QuTS hero h5.3.x
QuTS hero h5.3.1.3250 build 20250912 and later




<<Learn more>>




Multiple Vulnerabilities in License Center
Security ID: QSA-25-52

Release date: January 3, 2026

CVE identifier: CVE-2025-52871, CVE-2025-53597

Severity: Moderate

Status: Resolved

Affected products: License Center 2.0.x
Summary
Multiple vulnerabilities have been reported to affect License Center:

CVE-2025-52871: Out-of-bounds read vulnerability

If a remote attacker gains access to a user account, they can then exploit the vulnerability to obtain secret data.
CVE-2025-53597: Buffer overflow vulnerability

If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to modify memory or crash processes.

We have already fixed the vulnerabilities in the following version:



Affected Product
Fixed Version






License Center 2.0.x
License Center 2.0.36 and later






<<Learn more>>


Vulnerability in MARS (Multi-Application Recovery Service)
Security ID: QSA-25-53
Release date: January 3, 2026

CVE identifier: CVE-2025-59387

Severity: Important

Status: Resolved

Affected products: MARS (Multi-Application Recovery Service) 1.2.x
Summary

An SQL injection vulnerability has been reported to affect MARS (Multi-Application Recovery Service). If exploited, a remote attacker can execute unauthorized code or commands.

We have already fixed the vulnerability in the following version:



Affected Product
Fixed Version






MARS (Multi-Application Recovery Service) 1.2.x
MARS (Multi-Application Recovery Service) 1.2.1.1686 and later





Note: Starting from version 1.3.x, the application has been renamed to HDP for Wordpress (MARS).


<<Learn more>>


Vulnerability in Qfiling
Security ID: QSA-25-54
Release date: January 3, 2026

CVE identifier: CVE-2025-59384

Severity: Important

Status: Resolved

Affected products: Qfiling 3.13.x
Summary


A path traversal vulnerability has been reported to affect Qfiling. If exploited, a remote attacker can read the contents of unexpected files or system data.

We have already fixed the vulnerability in the following version:




Affected Product
Fixed Version






Qfiling 3.13.x
Qfiling 3.13.1 and later





<<Learn more>>


Vulnerability in Qfinder Pro, Qsync, and QVPN Device Client (for Mac)
Security ID: QSA-25-55

Release date: January 3, 2026

CVE identifier: CVE-2025-53594

Severity: Moderate

Status: Resolved

Affected products: Qfinder Pro (for Mac) 7.13.x, Qsync (for Mac) 5.1.x, QVPN Device Client (for Mac) 2.2.x
Summary


A path traversal vulnerability has been reported to affect several utilities. If a local attacker gains access to a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data.

We have already fixed the vulnerability in the following utilities and versions:



Affected Product
Fixed Version






Qfinder Pro (for Mac) 7.13.x
Qfinder Pro (for Mac) 7.13.0 and later




Qsync (for Mac) 5.1.x
Qsync (for Mac) 5.1.5 and later




QVPN Device Client (for Mac) 2.2.x
QVPN Device Client (for Mac) 2.2.8 and later





<<Learn more>>










If you have any questions regarding this issue, please contact us at [3] https://www.qnap.com/go/support-ticket/.
















Copyright © 2026 QNAP Systems, Inc. All rights reserved







References:

1. https://qnap.benchurl.com/c/l?u=1369644A&e=1ADA94E&c=5F743&t=0&seq=1
2. https://qnap.benchurl.com/c/l?u=1369644B&e=1ADA94E&c=5F743&t=0&seq=1
3. https://qnap.benchurl.com/c/l?u=13696453&e=1ADA94E&c=5F743&t=0&seq=1



View this email in your browser:

https://qnap.benchurl.com/c/v?e=1ADA94E&c=5F743&t=0&l=16D99CF5&email=4K3u7mB07SLV2HSxIYPQbg%3D%3D&relid=

You are receiving this email because of your relationship with QNAP Systems, Inc.. Please reconfirm your interest in receiving emails from us. If you do not wish to receive any more emails, you can unsubscribe here or report abuse.

https://qnap.benchurl.com/c/su?e=1ADA94E&c=5F743&t=0&l=16D99CF5&email=4K3u7mB07SLV2HSxIYPQbg%3D%3D&relid=