High Threat Security Alert (A26-02-18): Multiple Vulnerabilities in QNAP Products


 

Published on: 12 February 2026

Description:

QNAP has published security advisories to address multiple vulnerabilities in QNAP products. The list of patches can be found at:
https://www.qnap.com/en/security-advisory/qsa-25-57
https://www.qnap.com/go/security-advisory/qsa-26-02
https://www.qnap.com/go/security-advisory/qsa-26-03
https://www.qnap.com/go/security-advisory/qsa-26-04
https://www.qnap.com/go/security-advisory/qsa-26-05
https://www.qnap.com/go/security-advisory/qsa-26-06
https://www.qnap.com/go/security-advisory/qsa-26-08

Reports indicated that proof-of-concept (PoC) exploit code is available for remote code execution and security restriction bypass vulnerabilities (CVE-2025-10230 and CVE-2025-23048). These issues are reported by Samba and Apache HTTP Server. System administrators are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.

 

Affected Systems:

  • QNAP NAS devices running File Station versions prior to 5.5.6.5190
  • QNAP NAS devices running Media Streaming add-on versions prior to 500.1.1.6 (2024/08/02)
  • QNAP NAS devices running QTS operating system versions prior to 5.2.8.3350 build 20251216
  • QNAP NAS devices running Qsync Central versions prior to 5.0.0.4 (2026/01/20)
  • QNAP NAS devices running QuTS hero operating system versions prior to h5.3.2.3354 build 20251225, h5.2.8.3321 build 20251117

For detailed information of the affected systems, please refer to the corresponding security advisory at vendor's website.

 

Impact:

Successful exploitation of the vulnerabilities could lead to remote code execution, denial of service, elevation of privilege, information disclosure, security restriction bypass or tampering on an affected system.

 

Recommendation:

Patches for affected systems are available. System administrators of affected systems should follow the recommendations provided by the vendor and take immediate actions to mitigate the risk.

 

More Information:

  • https://www.qnap.com/go/security-advisory/qsa-25-57
  • https://www.qnap.com/go/security-advisory/qsa-26-02
  • https://www.qnap.com/go/security-advisory/qsa-26-03
  • https://www.qnap.com/go/security-advisory/qsa-26-04
  • https://www.qnap.com/go/security-advisory/qsa-26-05
  • https://www.qnap.com/go/security-advisory/qsa-26-06
  • https://www.qnap.com/go/security-advisory/qsa-26-08
  • https://www.hkcert.org/security-bulletin/qnap-nas-multiple-vulnerabilities_20260212
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-42516
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43204
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43394
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47252
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56807 (to CVE-2024-56808)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-9640
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-10230
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-23048
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30269
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-30276
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47205
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47209
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48722 (to CVE-2025-48725)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49630
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49812
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-52868 (to CVE-2025-52870)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53020
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-53598
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54090
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54146 (to CVE-2025-54150)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54155
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54161 (to CVE-2025-54163)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-54169
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57707
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-57713
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-58466
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59386
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-62853 (to CVE-2025-62856)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66274
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-66277 (to CVE-2025-66278)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22894


Tag: QNAP , NAS , File Station , Media Streaming , QTS , Qsync Central , QuTS hero
Tags