Ddos 
Network-attached storage giant QNAP has issued a sweeping set of security advisories, patching critical vulnerabilities that could allow attackers to steal sensitive data, inject malicious code, or crash essential services. The updates cover a broad range of software, from Mac-based client utilities to core backend services like Qfiling and the Multi-Application Recovery Service (MARS).
The advisories highlight two high-severity flaws (CVSS 8.1) alongside several lower-severity but still dangerous bugs.
The most urgent patches address vulnerabilities that could allow remote attackers to compromise the NAS system itself.
- Qfiling Path Traversal (CVE-2025-59384): This flaw affects Qfiling, QNAP’s automated file organization tool. Rated with a CVSS score of 8.1, it allows remote attackers to “read the contents of unexpected files or system data” . The vulnerability is fixed in Qfiling 3.13.1 and later.
- MARS SQL Injection (CVE-2025-59387): The Multi-Application Recovery Service (MARS) was found to be vulnerable to SQL injection, also carrying a CVSS score of 8.1. This flaw allows remote attackers to “execute unauthorized code or commands,” potentially granting them deep access to the system . The issue is resolved in MARS 1.2.1.1686 and later (note that newer versions are renamed to “HDP for WordPress”).
Mac users relying on QNAP’s desktop tools are also urged to update. A path traversal vulnerability (CVE-2025-53594) was discovered affecting Qfinder Pro, Qsync, and the QVPN Device Client for macOS.
While rated lower in severity (CVSS 4.4) because it requires a local user account to exploit, the flaw still poses a risk. “If a local attacker gains a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data,” the advisory warns.
Fixed versions include:
- Qfinder Pro (Mac): 7.13.0+
- Qsync (Mac): 5.1.5+
- QVPN Device Client (Mac): 2.2.8+
Finally, QNAP addressed two vulnerabilities in its License Center. These include an out-of-bounds read (CVE-2025-52871) that could allow attackers to “obtain secret data,” and a buffer overflow (CVE-2025-53597) that could let an administrator-level attacker “modify memory or crash processes”. Both are fixed in License Center 2.0.36.
QNAP recommends all users log in to their QTS or QuTS hero administrator interface, open the App Center, and apply the available updates immediately to secure their devices.
Related Posts:
- QNAP Addresses High Severity Vulnerabilities in License Center and Operating Systems
- QNAP detects a large number of ransomware attacks
- QNAP Counters Massive Weak Password Onslaught, Shields NAS Devices
- Synology NAS: Third-Party Drives Restricted in 2025 Plus Series
- DeadBolt ransomware is threatening QNAP users
Donate