QNAP Fixes SQL Injection and Certificate Validation Flaws in Qsync Central and File Station 5

QNAP Systems, Inc. has released patches addressing multiple high-severity vulnerabilities in its Qsync Central and File Station 5 applications, which, if exploited, could allow remote attackers to execute unauthorized code, compromise user data, or manipulate system memory. The flaws were detailed in a recent security advisory and are now resolved in the latest versions of the affected software.

Two vulnerabilities were reported in Qsync Central 4.5.x:

• CVE-2025-29892 (CVSSv4 8.7): A remote attacker with user-level access can exploit this flaw to run arbitrary SQL commands, potentially leading to full database compromise or code execution.
• CVE-2025-22482 (CVSSv4 2.3): Exploitation of this vulnerability may allow attackers to read secret data or modify memory, though it requires access to a user account.

“If a remote attacker gains access to a user account, they can then exploit the vulnerability to execute unauthorized code or commands,” the advisory warns.

All users of Qsync Central 4.5.x should immediately update to version 4.5.0.6 or later via QTS/QuTS hero’s App Center.

QNAP has also resolved four improper certificate validation vulnerabilities in File Station 5, all rated high in severity:

• CVE-2025-22486 – CVSSv4 7.1
• CVE-2025-29883, CVE-2025-29884, CVE-2025-29885 – All CVSSv4 8.3

These issues may allow attackers with user account access to bypass security protocols, intercept communications, or impersonate trusted services, posing a risk to data confidentiality and integrity.

“If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to compromise the security of the system,” the advisory explains.

Update to the latest version (5.5.6.4791 and later) of File Station 5 via App Center to close all known certificate validation loopholes.

How to update

1. Log in to QTS or QuTS hero as an administrator.
2. Open App Center.
3. Search for either “Qsync Central” or “File Station 5.”
4. Click Update (if available) and confirm.
5. Wait for the application to complete updating.

Related Posts:

• Synology Surveillance Station Vulnerabilities Expose Systems to Attack – Update Immediately
• Critical Vulnerabilities in QNAP Notes Station 3: Update Now to Protect Your Data
• Kaspersky Lab: software vulnerabilities put over 1,000 gas stations around the world at risk
• Russia gas station equipment infected with malware, hacking illegally hundreds of millions of rubles
• EV Fast Chargers Vulnerable to Remote Hacking, Study Finds