QNAP Fixes High-Severity Flaws: NetBak Replicator RCE and SQL Injection in Qsync Central

QNAP has issued a new security advisory addressing multiple vulnerabilities in two of its widely used utilities—NetBak Replicator and Qsync Central—that could allow attackers to execute unauthorized code or disrupt NAS operations. The most severe flaws carry CVSS scores up to 8.6, posing a high-risk threat to both enterprise and home users.

CVE-2025-57714: Code Execution Risk in NetBak Replicator

The most serious issue disclosed is CVE-2025-57714, rated CVSS 8.5, which affects QNAP’s NetBak Replicator software. According to the advisory, “An unquoted search path or element vulnerability has been reported to affect NetBak Replicator. If a local attacker gains access to a user account, they can then exploit the vulnerability to execute unauthorized code or commands.”

This flaw could allow attackers to inject malicious executables into unquoted file paths—causing Windows to run the rogue code whenever the software launches.

QNAP confirmed the vulnerability has been patched in NetBak Replicator version 4.5.15.0807 and later, urging users to update immediately.

Multiple Vulnerabilities Impacting Qsync Central

The advisory also lists five separate vulnerabilities affecting Qsync Central, a synchronization utility used for managing files across multiple NAS systems. These include:

• CVE-2025-44012 (CVSS 7.1): Allocation of resources without limits or throttling — can cause system instability.
• CVE-2025-47210 (CVSS 5.3): NULL pointer dereference — may allow remote attackers to trigger a denial-of-service (DoS).
• CVE-2025-52867 (CVSS 6.0): Uncontrolled resource consumption — can lead to service interruptions.
• CVE-2025-53595 and CVE-2025-54153 (CVSS 8.6): SQL injection vulnerabilities — the most severe, allowing remote attackers with user access to “execute unauthorized code or commands.”

The SQL injection issues, in particular, pose a critical risk of data theft or privilege escalation if exploited on systems exposed to the internet.

QNAP has fixed all of these vulnerabilities in Qsync Central version 5.0.0.2 (released July 31, 2025) and later.

Update Instructions

To apply the patches, QNAP advises:

1. Log in to QTS or QuTS hero as an administrator.
2. Open App Center, search for “Qsync Central.”
3. Click Update, and confirm when prompted.
4. If the update button is unavailable, your version is already up to date.

QNAP urges all users to regularly update QNAP utilities to the latest versions to mitigate known vulnerabilities and benefit from ongoing security improvements. The advisory emphasizes: “To secure your device, we recommend regularly updating your QNAP utilities to the latest versions to benefit from vulnerability fixes.”

Administrators should also limit local account access, disable unnecessary synchronization services, and avoid exposing NAS management ports directly to the internet.

Related Posts:

• QNAP Fixes SQL Injection and Certificate Validation Flaws in Qsync Central and File Station 5
• QNAP detects a large number of ransomware attacks
• QNAP Addresses High Severity Vulnerabilities in License Center and Operating Systems
• Philippine Central Bank Warns Local Financial Institutions of “Hacker Attack on Malaysian Central Bank SWIFT System”
• QNAP Counters Massive Weak Password Onslaught, Shields NAS Devices