QNAP Patches Multiple Vulnerabilities in License Center and NAS Tools
QNAP has addressed several security vulnerabilities affecting its License Center application and other NAS tools, which could allow attackers to access sensitive information or disrupt services on affected devices. The vulnerabilities, identified as CVE-2025-52871 (out-of-bounds read) and CVE-2025-53597 (buffer overflow), require an attacker to have access to a valid or administrator account, making credential theft or weak passwords a significant risk factor. QNAP has released patches in License Center 2.0.36 and later, urging organizations and home users to update immediately, especially if their NAS devices are accessible from the internet or shared among multiple users.
In addition to the License Center flaws, QNAP also patched high-severity SQL injection and path traversal vulnerabilities in its NAS products. These vulnerabilities could have allowed attackers to execute arbitrary code or access restricted files, further emphasizing the importance of timely updates. Users are advised to access the QTS or QuTS hero management interface and apply the latest security updates to mitigate these risks and protect sensitive data stored on QNAP devices.
Timeline
Jan 5, 2026
QNAP releases patches for SQL injection and path traversal flaws
QNAP released patches for additional high-severity vulnerabilities affecting its products, including an SQL injection flaw and a path traversal flaw that could be exploited to compromise affected systems. The vendor urged timely patching to reduce the risk of exploitation.
Jan 5, 2026
QNAP fixes License Center flaws in version 2.0.36
QNAP addressed two vulnerabilities in its License Center application, CVE-2025-52871 and CVE-2025-53597, which could let authenticated attackers access sensitive data or disrupt services on NAS devices. The issues were fixed in License Center version 2.0.36 and later.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
QNAP Patches Seven Zero-Day Vulnerabilities Exploited at Pwn2Own
QNAP has released security updates to address seven zero-day vulnerabilities in its network-attached storage (NAS) products after these flaws were exploited by security researchers during the Pwn2Own Ireland 2025 competition. The vulnerabilities affected QNAP's QTS and QuTS hero operating systems, as well as key applications including Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync. The exploits were demonstrated by teams such as Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern, highlighting the critical nature of these security issues. QNAP has provided patched versions for all affected software and strongly recommends that users update to the latest releases and change all passwords to enhance security. The company has published detailed advisories and instructions for updating both the operating systems and vulnerable applications through the QTS or QuTS hero interface. Regular updates and monitoring of product support status are advised to ensure ongoing protection against similar vulnerabilities.
1 months ago
QNAP Patches High-Severity Vulnerabilities in NetBak Replicator and Qsync Central
QNAP has addressed two high-severity security vulnerabilities affecting its NetBak Replicator and Qsync Central products. The first vulnerability, tracked as CVE-2025-53595, is an SQL injection flaw in Qsync Central. This vulnerability allows a remote attacker with a user account to execute unauthorized code or commands on the affected system. QNAP has released a fix for this issue in Qsync Central version 5.0.0.2 and later, mitigating the risk of exploitation. The second vulnerability, identified as CVE-2025-57714, impacts NetBak Replicator and is classified as an unquoted search path or element vulnerability. This flaw enables a local attacker with a user account to execute unauthorized code or commands, potentially leading to privilege escalation or further compromise of the system. The vulnerability in NetBak Replicator has been resolved in version 4.5.15.0807 and later. Both vulnerabilities have been assigned high CVSS scores, with the SQL injection in Qsync Central rated at 8.6 and the NetBak Replicator flaw at 8.5, reflecting their significant security impact. QNAP's security advisories recommend that users update to the latest versions of the affected products to ensure protection against these threats. The SQL injection vulnerability in Qsync Central is remotely exploitable, increasing its risk profile, while the NetBak Replicator issue requires local access. No specific details about exploitation in the wild have been reported, but the technical nature of the flaws underscores the importance of prompt patching. The vulnerabilities were reported to QNAP by security researchers and disclosed through official channels, including CVE databases and QNAP's own security team. The advisories do not list the exact affected product versions prior to the fixed releases, but users are urged to verify their software versions and apply updates as soon as possible. QNAP's response demonstrates a commitment to addressing security issues in a timely manner, with coordinated disclosure and clear communication to customers. Organizations using QNAP NetBak Replicator or Qsync Central should review their deployment, assess potential exposure, and implement the recommended updates. The vulnerabilities highlight the ongoing risk of both remote and local exploitation vectors in widely used backup and synchronization software. Security teams are advised to monitor for any signs of compromise and to follow best practices for user account management and software maintenance. The prompt release of patches and public disclosure of these vulnerabilities contribute to the overall security posture of QNAP's user base.
1 months ago
QNAP Fixes Unauthenticated Access in QVR Pro and Command Injection in QuNetSwitch
QNAP disclosed two high-severity vulnerabilities affecting its **QVR Pro** and **QuNetSwitch** products that could be exploited remotely without authentication or user interaction. **CVE-2026-22898** is a missing authentication for critical function flaw in QVR Pro, classified as `CWE-306`, that can let remote attackers gain access to the system. QNAP said the issue is fixed in **QVR Pro 2.7.4.14** and later and published advisory **QSA-26-07**. QNAP also addressed **CVE-2026-22897**, a `CWE-78` command injection flaw in **QuNetSwitch** that could allow remote attackers to execute arbitrary commands on vulnerable devices. The company said the bug was fixed in **QuNetSwitch 2.0.4.0415** and later. Both CVE records carry **CVSS v4.0** assessments indicating network-based exploitation with low attack complexity, no required privileges, and no user interaction, making prompt patching a priority for exposed systems.
2 weeks ago