QNAP has patched multiple security vulnerabilities in its License Center application that could allow attackers to access sensitive information or disrupt services on affected NAS devices.
The issues, tracked as CVE-2025-52871 and CVE-2025-53597, were disclosed on January 3, 2026.
QNAP rated the flaws as Moderate severity and confirmed that the issues have been resolved in the latest releases. The vulnerabilities affect License Center 2.0.x, a component used to manage licensing on QNAP systems.
While the bugs are not described as unauthenticated remote exploits, QNAP notes that an attacker would first need access to a valid account.
Which makes credential theft, weak passwords, or exposed admin portals key risk factors.
Overview of the Security Flaws
CVE-2025-52871 is an out-of-bounds read vulnerability. According to QNAP, if a remote attacker gains access to a user account, they may exploit the flaw to obtain secret data.
| CVE ID | Vulnerability Type | Affected Product | Impact |
|---|---|---|---|
| CVE-2025-52871 | Out-of-bounds Read | License Center 2.0.x | A remote attacker with admin account can modify memory or crash processes |
| CVE-2025-53597 | Buffer Overflow | License Center 2.0.x | A remote attacker with an admin account can modify memory or crash processes |
Out-of-bounds read issues typically allow unintended memory disclosure, which can expose tokens, keys, or other sensitive values depending on what is stored in memory during execution.
CVE-2025-53597 is a buffer overflow vulnerability. QNAP states that if a remote attacker gains access to an administrator account.
They could exploit it to modify memory or crash processes, potentially causing instability or denial-of-service on affected systems. QNAP has fixed the vulnerabilities in License Center 2.0.36 and later.
Organizations and home users running License Center 2.0.x should update immediately, especially if the NAS is reachable from the internet or shared across many users.
Access the QTS or QuTS hero management interface and authenticate with administrator privileges. Navigate to App Center from the system menu.
In App Center, use the search function to locate License Center. Select the application and click Update. Confirm the update when prompted to complete the process. QNAP credited Coral for reporting the issues.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
