QNAP Security Advisory










If this page does not render correctly, [1] click herefor the online version














[2]







QNAP Security Advisory






Bulletin ID: QSA-25-57, QSA-26-02, QSA-26-03, QSA-26-04, QSA-26-05, QSA-26-06, QSA-26-08















Taipei, Taiwan, February 12, 2026 - QNAP® had published security enhancement against security vulnerabilities that could affect specific versions of QNAP products. Please use the following information and solutions to correct the security issues and vulnerabilities.

This advisory includes the following:
Multiple Vulnerabilities in Media Streaming add-on (ID: QSA-25-57)
Multiple Vulnerabilities in Qsync Central (ID: QSA-26-02)
Multiple Vulnerabilities in File Station 5 (ID: QSA-26-03)
Vulnerabilities in Apache (ID: QSA-26-04)
Multiple Vulnerabilities in QTS and QuTS hero (ID: QSA-26-05)
Vulnerabilities in Samba (ID: QSA-26-06)
Multiple Vulnerabilities in QuTS hero (ID: QSA-26-08)



Multiple Vulnerabilities in Media Streaming add-on
Security ID: QSA-25-57
Release date: February 12, 2026

CVE identifier: CVE-2024-56807 | CVE-2024-56808

Severity: Moderate

Status: Resolved

Affected products: Media Streaming add-on 500.1.x
Summary


Multiple vulnerabilities have been reported to affect Media Streaming add-on:

CVE-2024-56807: Out-of-bounds read vulnerability

If an attacker gains access to the local network, they can then exploit the vulnerability to obtain secret data.
CVE-2024-56808: Command injection vulnerability

If an attacker gains access to the local network and a user account, they can then exploit the vulnerability to execute arbitrary commands

We have already fixed the vulnerabilities in the following version:



Affected Product
Fixed Version






Media Streaming add-on 500.1.x
Media Streaming add-on 500.1.1.6 (2024/08/02) and later





<<Learn more>>




Multiple Vulnerabilities in Qsync Central
Security ID: QSA-26-02

Release date: February 12, 2026

CVE identifier: CVE-2025-30269 | CVE-2025-30276 | CVE-2025-47209 | CVE-2025-48722 | CVE-2025-48723 | CVE-2025-48724 | CVE-2025-52868 | CVE-2025-52869 | CVE-2025-52870 | CVE-2025-53598 | CVE-2025-54146 | CVE-2025-54147 | CVE-2025-54148 | CVE-2025-54149 | CVE-2025-54150..

Severity: Moderate

Status: Resolved

Affected products: Qsync Central 5.0.x
Summary

Multiple vulnerabilities have been reported to affect Qsync Central:

CVE-2025-30269: Use of externally-controlled format string vulnerability

If a remote attacker gains access to a user account, they can then exploit the vulnerability to obtain secret data or modify memory.
CVE-2025-54170: Out-of-bounds read vulnerability

If a remote attacker gains access to a user account, they can then exploit the vulnerability to obtain secret data.
CVE-2025-30276: Out-of-bounds write vulnerability

If a remote attacker gains access to a user account, they can then exploit the vulnerability to modify or corrupt memory.
CVE-2025-47209, CVE-2025-48722, CVE-2025-53598, CVE-2025-54146, CVE-2025-54147, CVE-2025-54148, CVE-2025-58472, CVE-2025-30266: NULL pointer dereference vulnerabilities

If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to launch a denial-of-service (DoS) attack.
CVE-2025-48723, CVE-2025-48724, CVE-2025-52868, CVE-2025-52869, CVE-2025-52870, CVE-2025-57709: Buffer overflow vulnerabilities

If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to modify memory or crash processes.
CVE-2025-54149, CVE-2025-54150, CVE-2025-54151: Uncontrolled resource consumption vulnerabilities

If a local attacker gains access to a user account, they can then exploit the vulnerabilities to launch a denial-of-service (DoS) attack.
CVE-2025-54152: Out-of-range pointer offset vulnerability

If a remote attacker gains access to a user account, they can then exploit the vulnerability to read sensitive portions of memory.
CVE-2025-57708, CVE-2025-57710, CVE-2025-57711, CVE-2025-58471: Allocation of resources without limits or throttling vulnerabilities

If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to prevent other systems, applications, or processes from accessing the same type of resource.
CVE-2025-58467, CVE-2025-58470, CVE-2025-68406: Relative path traversal vulnerabilities

If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to read the contents of unexpected files or system data.

We have already fixed the vulnerabilities in the following version:



Affected Product
Fixed Version






Qsync Central 5.0.x
Qsync Central 5.0.0.4 (2026/01/20) and later




<<Learn more>>



Multiple Vulnerabilities in File Station 5
Security ID: QSA-26-03

Release date: February 12, 2026

CVE identifier: CVE-2025-54155 | CVE-2025-54161 | CVE-2025-54162 | CVE-2025-54163 | CVE-2025-54169 | CVE-2025-57707 | CVE-2025-57713 | CVE-2025-62853 | CVE-2025-62854 | CVE-2025-62855 | CVE-2025-62856 | CVE-2025-66278 | CVE-2026-22894

Severity: Important

Status: Resolved

Affected products: File Station 5 version 5.5.x
Summary

Multiple vulnerabilities have been reported to affect File Station 5:

CVE-2025-54155, CVE-2025-54161: Allocation of resources without limits or throttling vulnerability

If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource.
CVE-2025-54162: Path traversal vulnerability

If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data.
CVE-2025-62853, CVE-2025-66278, CVE-2026-22894: Path traversal vulnerability

If a remote attacker gains access to a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data.
CVE-2025-62855, CVE-2025-62856: Path traversal vulnerability

If a local attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data.
CVE-2025-54163: NULL pointer dereference vulnerability

If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.
CVE-2025-54169: Out-of-bounds read vulnerability

If a remote attacker gains access to a user account, they can then exploit the vulnerability to obtain secret data.
CVE-2025-57707: Improper neutralization of directives in statically saved code (static code injection) vulnerability

If a remote attacker gains access to a user account, they can then exploit the vulnerability to access restricted data or files.
CVE-2025-57713: Weak authentication vulnerability

If exploited, remote attackers can gain sensitive information.
CVE-2025-62854: Uncontrolled resource consumption vulnerability

If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.

We have already fixed the vulnerabilities in the following version:



Affected Product
Fixed Version






File Station 5 version 5.5.x
File Station 5 version 5.5.6.5190 and later




<<Learn more>>




Vulnerabilities in Apache
Security ID: QSA-26-04

Release date: February 12, 2026

CVE identifier: CVE-2024-42516 | CVE-2024-43204 | CVE-2024-43394 | CVE-2024-47252 | CVE-2025-23048 | CVE-2025-49630 | CVE-2025-49812 | CVE-2025-53020 | CVE-2025-54090

Severity: Moderate

Status: Resolved

Affected products: QTS 5.2.x; QuTS hero h5.2.x, h5.3.x
Summary
Multiple vulnerabilities have been reported in Apache, affecting certain QNAP operating system versions.

We have already fixed the vulnerabilities in the following versions:



Affected Product
Fixed Version






QTS 5.2.x
QTS 5.2.8.3332 build 20251128 and later




QuTS hero h5.2.x
QuTS hero h5.2.8.3321 build 20251117 and later




QuTS hero h5.3.x
QuTS hero h5.3.2.3354 build 20251225 and later






<<Learn more>>


Multiple Vulnerabilities in QTS and QuTS hero
Security ID: QSA-26-05
Release date: February 12, 2026

CVE identifier: CVE-2025-47205 | CVE-2025-58466 | CVE-2025-66277

Severity: Important

Status: Resolved

Affected products: QTS 5.2.x, QuTS hero h5.2.x
Summary


Multiple vulnerabilities has been reported to affect certain QNAP operating system versions:

CVE-2025-58466: Use of uninitialized variable vulnerability

If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to cause denial-of-service (DoS) conditions or modify control flow in unexpected ways.
CVE-2025-47205: NULL pointer dereference vulnerability

If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.
CVE-2025-66277: Link following vulnerability

If exploited, remote attackers can traverse the file system to unintended locations.

We have already fixed the vulnerabilities in the following versions:



Affected Product
Fixed Version






QTS 5.2.x
QTS 5.2.8.3350 build 20251216 and later




QuTS hero h5.2.x
QuTS hero h5.2.8.3350 build 20251216 and later






<<Learn more>>


Vulnerabilities in Samba
Security ID: QSA-26-06
Release date: February 12, 2026

CVE identifier: CVE-2025-10230 | CVE-2025-9640

Severity: Moderate

Status: Resolved

Affected products: QTS 5.2.x; QuTS hero h5.2.x, h5.3.x
Summary


Multiple vulnerabilities have been reported in Samba, affecting certain QNAP operating system versions.

We have already fixed the vulnerabilities in the following versions:




Affected Product
Fixed Version






QTS 5.2.x
QTS 5.2.8.3332 build 20251128 and later




QuTS hero h5.2.x
QuTS hero h5.2.8.3321 build 20251117 and later




QuTS hero h5.3.x
QuTS hero h5.3.2.3354 build 20251225 and later





<<Learn more>>


Multiple Vulnerabilities in QuTS hero
Security ID: QSA-26-08

Release date: February 12, 2026

CVE identifier: CVE-2025-48725 | CVE-2025-59386 | CVE-2025-66274

Severity: Low

Status: Resolved

Affected products: QuTS hero h5.3.x
Summary


Multiple vulnerabilities have been reported to affect QuTS hero:

CVE-2025-48725: Buffer overflow vulnerability

If a remote attacker gains access to a user account, they can then exploit the vulnerability to modify memory or crash processes.
CVE-2025-66274, CVE-2025-59386: NULL pointer dereference vulnerability

If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.

We have already fixed the vulnerabilities in the following version:



Affected Product
Fixed Version






QuTS hero h5.3.x
QuTS hero h5.3.2.3354 build 20251225 and later





<<Learn more>>










If you have any questions regarding this issue, please contact us at [3] https://www.qnap.com/go/support-ticket/.
















Copyright © 2026 QNAP Systems, Inc. All rights reserved







References:

1. https://qnap.benchurl.com/c/l?u=138D8B54&e=1B00FFB&c=5F743&t=0&seq=1
2. https://qnap.benchurl.com/c/l?u=138D8B55&e=1B00FFB&c=5F743&t=0&seq=1
3. https://qnap.benchurl.com/c/l?u=138D8B5D&e=1B00FFB&c=5F743&t=0&seq=1



View this email in your browser:

https://qnap.benchurl.com/c/v?e=1B00FFB&c=5F743&t=0&l=16D99CF5&email=4K3u7mB07SLV2HSxIYPQbg%3D%3D&relid=

You are receiving this email because of your relationship with QNAP Systems, Inc.. Please reconfirm your interest in receiving emails from us. If you do not wish to receive any more emails, you can unsubscribe here or report abuse.

https://qnap.benchurl.com/c/su?e=1B00FFB&c=5F743&t=0&l=16D99CF5&email=4K3u7mB07SLV2HSxIYPQbg%3D%3D&relid=