QNAP Patches 14 Vulnerabilities in QTS, QuTS hero, and QVP Devices

TL;DR

QNAP has patched 14 vulnerabilities affecting its QTS, QuTS hero, QuTS cloud, and QVP systems. The flaws range from command injection and credential theft to several denial-of-service bugs. These QNAP NAS vulnerabilities affect widely deployed storage and surveillance appliances. No active exploitation has been reported.

Why it matters

NAS devices store sensitive data and often sit at the network edge. As a result, they remain a favorite ransomware target. Several flaws here let an authenticated admin run arbitrary commands. One URL injection bug, CVE-2025-59382, needs no admin rights. A remote attacker can alter a password reset link and steal credentials. Two denial-of-service bugs, including a pre-authentication NULL pointer issue, need no login at all. Together, the set gives attackers paths to data theft, remote control, and service outages.

How the attacks work

The most serious flaws are command injection bugs. CVE-2025-66273 abuses the username parameter to run system commands. CVE-2025-66279 and CVE-2026-22893 reach command execution through admin APIs, with one gaining elevated privileges. Many other bugs are memory-safety issues. Overly long upload filenames trigger stack-based buffer overflows in a CGI handler, which crashes the service. A malformed HTTP request with no content-length header can also crash the system before login. Most of these QNAP NAS vulnerabilities need an authenticated session, which lowers but does not remove the risk.

Affected versions

QNAP lists fixed builds per product. QTS 5.2.7 is patched in 5.2.10. QuTS hero h5.2.8 is fixed in h5.2.9. QuTS cloud c5.2.8 moves to C5.2.9. QVP 2.7.1 is fixed in QVP 2.8.0.

Patch and mitigation

Updates are available now. Log in as administrator and open Control Panel, then run a firmware Live Update. You can also download firmware manually from QNAP’s support site. Review the full QSA-26-10 advisory for the exact CVE and version mapping. No in-the-wild exploitation has been confirmed, and no public proof-of-concept is available. Still, NAS devices draw active attacker interest, so patch without delay. Limit admin access and keep the management interface off the public internet. Snapshots and offline backups also help limit damage if a device is hit.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.