QNAP QNAP

  1. Vendors
  2. QNAP

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any QNAP product.

RSS Feeds for QNAP security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in QNAP products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by QNAP Sorted by Most Security Vulnerabilities since 2018

QNAP Qts204 vulnerabilities

QNAP Quts Hero124 vulnerabilities

QNAP Qutscloud52 vulnerabilities

QNAP File Station19 vulnerabilities

QNAP Qsync Central16 vulnerabilities

QNAP Photo Station11 vulnerabilities

QNAP Video Station10 vulnerabilities

QNAP Qvr9 vulnerabilities

QNAP Qumagie9 vulnerabilities

QNAP Multimedia Console4 vulnerabilities

QNAP Music Station4 vulnerabilities

QNAP Qulog Center4 vulnerabilities

QNAP Helpdesk4 vulnerabilities

QNAP Download Station3 vulnerabilities

QNAP Qcalagent3 vulnerabilities

QNAP Notes Station 32 vulnerabilities

QNAP Netbak Replicator2 vulnerabilities

QNAP Qvpn2 vulnerabilities

Myqnapcloud2 vulnerabilities

QNAP Container Station1 vulnerability

Qnap Authenticator1 vulnerability

QNAP Qvr Smart Client1 vulnerability

QNAP Qvr Pro Client1 vulnerability

QNAP Qvr Firmware1 vulnerability

QNAP Media Streaming Add On1 vulnerability

QNAP Qusbcam21 vulnerability

QNAP Notification Center1 vulnerability

Known Exploited QNAP Vulnerabilities

The following QNAP vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.

Title Description Added
QNAP VioStor NVR OS Command Injection Vulnerability QNAP VioStar NVR contains an OS command injection vulnerability that allows authenticated users to execute commands via a network.
CVE-2023-47565 Exploit Probability: 83.2% 		December 21, 2023
QNAP Photo Station Externally Controlled Reference Vulnerability Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign.
CVE-2022-27593 Exploit Probability: 93.3% 		September 8, 2022
QNAP Photo Station Path Traversal Vulnerability QNAP devices running Photo Station contains an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
CVE-2019-7195 Exploit Probability: 93.5% 		June 8, 2022
QNAP Photo Station Path Traversal Vulnerability QNAP devices running Photo Station contains an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
CVE-2019-7194 Exploit Probability: 93.2% 		June 8, 2022
QNAP QTS Improper Input Validation Vulnerability QNAP QTS contains an improper input validation vulnerability allowing remote attackers to inject code on the system.
CVE-2019-7193 Exploit Probability: 34.4% 		June 8, 2022
QNAP Photo Station Improper Access Control Vulnerability QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system.
CVE-2019-7192 Exploit Probability: 93.9% 		June 8, 2022
QNAP NAS File Station Cross-Site Scripting Vulnerability A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code.
CVE-2018-19953 Exploit Probability: 31.5% 		May 24, 2022
QNAP NAS File Station Command Injection Vulnerability A command injection vulnerability affecting QNAP NAS File Station could allow remote attackers to run commands.
CVE-2018-19949 Exploit Probability: 44.2% 		May 24, 2022
QNAP NAS File Station Cross-Site Scripting Vulnerability A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code.
CVE-2018-19943 Exploit Probability: 5.5% 		May 24, 2022
QNAP Network-Attached Storage (NAS) Command Injection Vulnerability QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution.
CVE-2020-2509 Exploit Probability: 85.2% 		April 11, 2022
QNAP NAS Improper Authorization Vulnerability QNAP NAS running HBS 3 contains an improper authorization vulnerability which can allow remote attackers to log in to a device.
CVE-2021-28799 Exploit Probability: 86.2% 		March 31, 2022

Of the known exploited vulnerabilities above, 7 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 3 known exploited QNAP vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.

By the Year

In 2025 there have been 82 vulnerabilities in QNAP with an average score of 8.0 out of ten. Last year, in 2024 QNAP had 118 security vulnerabilities published. Right now, QNAP is on track to have less security vulnerabilities in 2025 than it did last year. However, the average CVE base score of the vulnerabilities in 2025 is greater by 0.74.




Year Vulnerabilities Average Score
2025 82 8.00
2024 118 7.26
2023 37 7.14
2022 19 8.46
2021 31 8.05
2020 18 7.21
2019 6 8.25
2018 17 7.84

It may take a day or so for new QNAP vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent QNAP Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2017-20210 Nov 11, 2025
CVE-2017-20210: Photo Station XMR Mining Vulnerability in 5.4.1 Photo Station 5.4.1 & 5.2.7 include the security fix for the vulnerability related to the XMR mining programs identified by internal research.
Photo Station
CVE-2025-47207 Nov 07, 2025
File Station NULL ptr deref DoS before 5.5.6.5018 A NULL pointer dereference vulnerability has been reported to affect several product versions. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later
File Station
CVE-2025-52425 Nov 07, 2025
SQLi in QuMagie <2.7.0 Unauthenticated Remote Code Exec An SQL injection vulnerability has been reported to affect QuMagie. A remote attacker can exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: QuMagie 2.7.0 and later
Qumagie
CVE-2025-52865 Nov 07, 2025
Synology File Station 5 NULL Pointer DoS Vulnerability (v5.5.6.5018+ Fix) A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later
File Station
CVE-2025-53408 Nov 07, 2025
File Station 5 Null DP DoS fixed in 5.5.6.5018 A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later
File Station
CVE-2025-53409 Nov 07, 2025
File Station 5 Resource Allocation DoS Fixed in 5.5.6.5018 An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later
File Station
CVE-2025-53410 Nov 07, 2025
File Station 5 Resource Exhaustion (CVE-2025-53410) pre5.5.6.5018 An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later
File Station
CVE-2025-53411 Nov 07, 2025
Resource Exhaustion Vulnerability in File Station 5 (fixed 5.5.6.5018) An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later
File Station
CVE-2025-53412 Nov 07, 2025
NULL Pointer DoS in Synology File Station before 5.5.6.5018 A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later
File Station
CVE-2025-53413 Nov 07, 2025
File Station 5 RCE: Unlimited Resource Allocation (fixed 5.5.6.5018) An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later
File Station
CVE-2025-54167 Nov 07, 2025
Notification Center XSS via Admin Patch in 2.1.0.3443, 1.9.2.3163, 3.0.0.3466+ A cross-site scripting (XSS) vulnerability has been reported to affect Notification Center. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: Notification Center 2.1.0.3443 and later Notification Center 1.9.2.3163 and later Notification Center 3.0.0.3466 and later
Notification Center
CVE-2025-54168 Nov 07, 2025
QuLog Center XSS via admin bypass, fixed in 1.8.2.923 A cross-site scripting (XSS) vulnerability has been reported to affect QuLog Center. If a remote attacker gains an administrator account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: QuLog Center 1.8.2.923 ( 2025/08/27 ) and later
Qulog Center
CVE-2025-57706 Nov 07, 2025
File Station 5 XSS via User Account, Fixed in 5.5.6.5018 A cross-site scripting (XSS) vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5018 and later
File Station
CVE-2025-57712 Nov 07, 2025
Path Traversal in Qsync Central 5.0.0.3 (pre-5.0.0.3) A path traversal vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.3 ( 2025/08/28 ) and later
Qsync Central
CVE-2025-58463 Nov 07, 2025
Path Traversal in Synology Download Station 5.10.0.304+ A relative path traversal vulnerability has been reported to affect Download Station. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: Download Station 5.10.0.305 ( 2025/09/16 ) and later Download Station 5.10.0.304 ( 2025/09/08 ) and later
Download Station
CVE-2025-58464 Nov 07, 2025
QuMagie <2.7.3 Path Traversal CVE-2025-58464 A relative path traversal vulnerability has been reported to affect QuMagie. If a remote attacker, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: QuMagie 2.7.3 and later
Qumagie
CVE-2025-58465 Nov 07, 2025
XSS in Download Station v<5.10.0.304> - remote account bypass A cross-site scripting (XSS) vulnerability has been reported to affect Download Station. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass security mechanisms or read application data. We have already fixed the vulnerability in the following versions: Download Station 5.10.0.305 ( 2025/09/16 ) and later Download Station 5.10.0.304 ( 2025/09/08 ) and later
Download Station
CVE-2025-58469 Nov 07, 2025
CSRF in QuLog Center before 1.8.2.927 A cross-site request forgery (CSRF) vulnerability has been reported to affect QuLog Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities. We have already fixed the vulnerability in the following version: QuLog Center 1.8.2.927 ( 2025/09/17 ) and later
Qulog Center
CVE-2025-57714 Oct 03, 2025
NetBak Replicator 4.5.15.0807+ Unquoted Search Path Vulnerability (CVE-2025-57714) An unquoted search path or element vulnerability has been reported to affect NetBak Replicator. If a local attacker gains a user account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: NetBak Replicator 4.5.15.0807 and later
Netbak Replicator
CVE-2025-54154 Oct 03, 2025
Invalid Auth: QNAP Authenticator <1.3.1.1227 (Physical Access) An improper authentication vulnerability has been reported to affect QNAP Authenticator. If an attacker gains physical access, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: QNAP Authenticator 1.3.1.1227 and later
Qnap Authenticator
CVE-2025-54153 Oct 03, 2025
SQL Injection in Qsync Central <5.0.0.2 (fixed 5.0.0.2) An SQL injection vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.2 ( 2025/07/31 ) and later
CVE-2025-53595 Oct 03, 2025
SQLi Qsync Central <=5.0.0.1: remote code exec An SQL injection vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.2 ( 2025/07/31 ) and later
Qsync Central
CVE-2025-53407 Oct 03, 2025
QNAP QTS Format String Vulnerability v5.2.6.3195 Remote Exploit A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-53406 Oct 03, 2025
Format String in QTS/QuTS hero 5.2.6.3195 Allows Remote Data Leak A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-52867 Oct 03, 2025
Uncontrolled Resource Consumption in Qsync Central 5.0.0.2 DoS Vulnerability An uncontrolled resource consumption vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.2 ( 2025/07/31 ) and later
Qsync Central
CVE-2025-52866 Oct 03, 2025
QNAP QTS/QuTS hero 5.2.6.3195 NPD Remote Admin DoS A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-52862 Oct 03, 2025
QNAP QTS/QuTS hero NULL ptr DoS before 5.2.6.3195 A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-52860 Oct 03, 2025
QNAP QTS/QuTS hero NULL Ptr Deref DoS before 5.2.6.3195 A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-52859 Oct 03, 2025
QNAP QTS 5.2.6.3195: NULL ptr DoS Remote Attacker A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-52858 Oct 03, 2025
NULL Pointer Deref in QNAP QTS & QuTS hero 5.2.6.3195 Before build 20250715 DoS A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-52857 Oct 03, 2025
QNAP QTS/QuTS hero NULL ptr deref DoS pre 5.2.6.3195 A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-52855 Oct 03, 2025
QNAP QTS/QuTS Hero Remote Admin Null Ptr Deref DoS - fixed 5.2.6.3195 A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-52854 Oct 03, 2025
QTS QNAP OS NPE DoS (5.2.6.3195) Remote Admin A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-52853 Oct 03, 2025
QNAP OS QTS/QuTS hero DoS via NULL ptr in pre-5.2.6.3195 A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-52433 Oct 03, 2025
NULL PTR DoS in QNAP QTS 5.2.6.3195 & QuTS Hero 5.2.6.3195 A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-52432 Oct 03, 2025
CVE-2025-52432: Null Pointer Deref in QNAP QTS/QuTS hero OS DoS (fixed 5.2.6.3195+/5.3.0.3192+) A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later and later QuTS hero h5.2.6.3195 build 20250715 and later QuTS hero h5.3.0.3192 build 20250716 and later
Qts
Quts Hero
CVE-2025-52429 Oct 03, 2025
Format String Vulnerability in QTS 5.2.6.3195+ (CVE202552429) A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-52428 Oct 03, 2025
QTS NULL Pointer Deref DoS in <=5.2.6.3194, Fixed 5.2.6.3195 A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later
Qts
CVE-2025-52427 Oct 03, 2025
QNAP QTS/QuTS hero 5.2.x NULL Pointer DoS Vulnerability A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-52424 Oct 03, 2025
QTS 5.2.6.3195 NULL ptr DoS after admin takeover A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-48730 Oct 03, 2025
External Format String issue in QNAP QTS/QuTS <5.2.6.3195 (pre-5.2.6.3195) A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-48729 Oct 03, 2025
QNAP QTS/QuTS hero NULL PTR DoS prior 5.2.6.3195 A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-48728 Oct 03, 2025
QNAP QTS Null Ptr DoS before 5.2.6.3195 A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-48727 Oct 03, 2025
QNAP OS NULL Pointer DoS (QTS 5.2.6.3195+, QuTS hero h5.2.6.3195+) A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-48726 Oct 03, 2025
QTS <5.2.6.3195: NULL ptr deref DoS via admin A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-47214 Oct 03, 2025
QNAP QTS 5.2.6.3195 NULL PTR Deref DoS A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later and later
Qts
CVE-2025-47213 Oct 03, 2025
QNAP QTS/QuTS NULL Pointer DoS (remote admin) before 5.2.6.3195 A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-47212 Oct 03, 2025
Command Injection Remote Exec in QNAP QTS/QuTS hero <5.2.6.3195 A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-47211 Oct 03, 2025
Path Traversal in QTS 5.2.6.3195 (QNAP) admin reads arbitrary files A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later
Qts
Quts Hero
CVE-2025-47210 Oct 03, 2025
Qsync Central 5.0+ Null Ptr Deref DoS in 5.0.0.2 A NULL pointer dereference vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.2 ( 2025/07/31 ) and later
Qsync Central
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.