QNAP has released a security advisory addressing multiple vulnerabilities in its License Center application.
If left unpatched, these flaws could allow attackers to steal sensitive information, crash system processes, or modify memory on affected Network Attached Storage (NAS) devices.
The security update, released on January 3, 2026, resolves two distinct issues affecting License Center version 2.0.x. QNAP has rated the overall severity of these flaws as “Moderate.”
However, they pose a significant risk if an attacker successfully gains initial access to the system.
Vulnerability Details and Impact
Qnap advisory (QSA-25-52) highlights two specific vulnerabilities rooted in memory management errors.
The first issue, tracked as CVE-2025-52871, is an out-of-bounds read vulnerability.
If a remote attacker gains access to a standard user account, they can exploit this flaw to read data they should not have access to, potentially exposing secret information stored in the system’s memory.
The second issue, CVE-2025-53597, is a buffer overflow vulnerability. This flaw is more severe but requires higher privileges; an attacker needs access to an administrator account to exploit it.
Successful exploitation allows the attacker to modify memory or crash processes, leading to denial-of-service (DoS) or potential system instability.
The following table summarizes the CVEs addressed in this update:
| CVE Identifier | Vulnerability Type | Severity | Impact |
|---|---|---|---|
| CVE-2025-52871 | Out-of-bounds read | Moderate | Allows authenticated users to obtain secret data. |
| CVE-2025-53597 | Buffer overflow | Moderate | Allows administrators to modify memory or crash processes. |
QNAP has resolved these issues in License Center version 2.0.36 and later.
The company strongly recommends that all users running License Center 2.0.x update to the latest version immediately to ensure their data remains secure.
To apply the fix, administrators should log on to QTS or QuTS Hero, open the App Center, and search for “License Center.”
If an update is available, an “Update” button will appear. Clicking this button will automatically download and install the patched version.
QNAP credited security researcher Coral for reporting these vulnerabilities, helping secure the ecosystem before widespread exploitation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.