Description:
QNAP has published security advisories to address multiple vulnerabilities in QNAP products. The list of patches can be found at:
https://www.qnap.com/go/security-advisory/qsa-25-33
https://www.qnap.com/go/security-advisory/qsa-25-37
https://www.qnap.com/go/security-advisory/qsa-25-38
https://www.qnap.com/go/security-advisory/qsa-25-40
https://www.qnap.com/go/security-advisory/qsa-25-41
https://www.qnap.com/go/security-advisory/qsa-25-42
https://www.qnap.com/go/security-advisory/qsa-25-43
https://www.qnap.com/go/security-advisory/qsa-25-45
https://www.qnap.com/go/security-advisory/qsa-25-46
https://www.qnap.com/go/security-advisory/qsa-25-47
https://www.qnap.com/go/security-advisory/qsa-25-48
Affected Systems:
- QNAP NAS devices running Download Station versions prior to 5.10.0.304 (2025/09/08), 5.10.0.305 (2025/09/16)
- QNAP NAS devices running File Station 5 versions prior to 5.5.6.5018
- QNAP NAS devices running HBS 3 Hybrid Backup Sync versions prior to 26.2.0.938
- QNAP NAS devices running Hyper Data Protector versions prior to 2.2.4.1
- QNAP NAS devices running Malware Remover versions prior to 6.6.8.20251023
- QNAP NAS devices running Notification Center versions prior to 1.9.2.3163, 2.1.0.3443, 3.0.0.3466
- QNAP NAS devices running QTS operating system versions prior to 5.2.7.3297 build 20251024
- QNAP NAS devices running Qsync Central versions prior to 5.0.0.3 (2025/08/28)
- QNAP NAS devices running QuLog Center versions prior to 1.8.2.923 (2025/08/27)
- QNAP NAS devices running QuMagie versions prior to 2.7.3
- QNAP NAS devices running QuTS hero operating system versions prior to h5.2.7.3297 build 20251024, h5.3.1.3292 build 20251024
For detailed information of the affected systems, please refer to the corresponding security advisory at vendor's website.
Impact:
Successful exploitation of the vulnerabilities could lead to remote code execution, denial of service, elevation of privilege, information disclosure or security restriction bypass on an affected system.
Recommendation:
Patches for affected systems are available. System administrators of affected systems should follow the recommendations provided by the vendor and take immediate actions to mitigate the risk.
More Information:
- https://www.qnap.com/go/security-advisory/qsa-25-33
- https://www.qnap.com/go/security-advisory/qsa-25-37
- https://www.qnap.com/go/security-advisory/qsa-25-38
- https://www.qnap.com/go/security-advisory/qsa-25-40
- https://www.qnap.com/go/security-advisory/qsa-25-41
- https://www.qnap.com/go/security-advisory/qsa-25-42
- https://www.qnap.com/go/security-advisory/qsa-25-43
- https://www.qnap.com/go/security-advisory/qsa-25-45
- https://www.qnap.com/go/security-advisory/qsa-25-46
- https://www.qnap.com/go/security-advisory/qsa-25-47
- https://www.qnap.com/go/security-advisory/qsa-25-48
- https://www.hkcert.org/security-bulletin/qnap-nas-multiple-vulnerabilities_20251110
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-11837
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47207
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52425
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52865
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53408 (to CVE-2025-53413)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54167 (to CVE-2025-54168)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57706
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57712
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58463 (to CVE-2025-58465)
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58469
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59389
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62840
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62842
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62847 (to CVE-2025-62849)
