Security Alert (A26-01-01): Multiple Vulnerabilities in QNAP Products


 

Published on: 05 January 2026

Description:

QNAP has published security advisories to address multiple vulnerabilities in QNAP products. The list of patches can be found at:
https://www.qnap.com/en/security-advisory/qsa-25-49
https://www.qnap.com/en/security-advisory/qsa-25-50
https://www.qnap.com/en/security-advisory/qsa-25-51
https://www.qnap.com/en/security-advisory/qsa-25-52
https://www.qnap.com/en/security-advisory/qsa-25-53
https://www.qnap.com/en/security-advisory/qsa-25-54
https://www.qnap.com/en/security-advisory/qsa-25-55

 

Affected Systems:

  • QNAP NAS devices running QTS operating system versions prior to QTS 5.2.7.3256 build 20250913, 5.2.8.3332 build 20251128
  • QNAP NAS devices running QuMagie versions prior to 2.8.1
  • QNAP NAS devices running QuTS hero operating system versions prior to h5.3.1.3250 build 20250912, h5.2.7.3256 build 20250913
  • QNAP NAS devices running License Center versions prior to 2.0.36
  • QNAP NAS devices running MARS (Multi-Application Recovery Service) versions prior to 1.2.1.1686
  • QNAP NAS devices running Qfiling versions prior to 3.13.1
  • QNAP NAS devices running Qfinder Pro (for Mac) versions prior to 7.13.0
  • QNAP NAS devices running Qsync (for Mac) versions prior to 5.1.5
  • QNAP NAS devices running QVPN Device Client (for Mac) versions prior to 2.2.8

For detailed information of the affected systems, please refer to the corresponding security advisory at vendor's website.

 

Impact:

Successful exploitation of the vulnerabilities could lead to remote code execution, denial of service, information disclosure, tampering or security restriction bypass on an affected system.

 

Recommendation:

Patches for affected systems are available. System administrators of affected systems should follow the recommendations provided by the vendor and take immediate actions to mitigate the risk.

 

More Information:

  • https://www.qnap.com/en/security-advisory/qsa-25-49
  • https://www.qnap.com/en/security-advisory/qsa-25-50
  • https://www.qnap.com/en/security-advisory/qsa-25-51
  • https://www.qnap.com/en/security-advisory/qsa-25-52
  • https://www.qnap.com/en/security-advisory/qsa-25-53
  • https://www.qnap.com/en/security-advisory/qsa-25-54
  • https://www.qnap.com/en/security-advisory/qsa-25-55
  • https://www.hkcert.org/security-bulletin/qnap-nas-multiple-vulnerabilities_20260105
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-09110
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-44013
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47208
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48721
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52426
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52430 (to CVE-2025-52431)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52863 (to CVE-2025-52864)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52871 (to CVE-2025-52872)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53405
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53414
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53589 (to CVE-2025-53594)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53596 (to CVE-2025-53597)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54164 (to CVE-2025-54166)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57705
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59380 (to CVE-2025-59381)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59384
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59387
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62852
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62857


Tag: QNAP , NAS , QuMagie , QuTS hero , QNAP License Center , QNAP MARS , Qfiling , Qfinder , Qsync , QVPN Device Client
Tags