Multiple QNAP Flaws Allow Remote Attackers to Hijack User Accounts

QNAP has issued a security advisory warning users of Qsync Central about two critical vulnerabilities that could allow attackers to access sensitive data or execute malicious code.

The affected software is widely used for synchronizing files across QNAP NAS devices and connected clients.

Below is a comprehensive analysis of the vulnerabilities, their technical details, and actionable mitigation steps.

Technical Overview of the Vulnerabilities

Two major vulnerabilities have been identified in Qsync Central, a core component of QNAP’s file synchronization ecosystem:

• CVE-2025-22482: Use of Externally-Controlled Format String
  • Type: Format string vulnerability
  • Impact: If exploited, this vulnerability allows a remote attacker who has gained user access to obtain secret data or modify memory.
  • Technical Details: The flaw arises when user-supplied input is used as a format string in functions like printf, sprintf, or similar. Attackers can manipulate memory contents, potentially leading to information disclosure or arbitrary code execution.
• CVE-2025-29892: SQL Injection
  • Type: SQL injection vulnerability
  • Impact: Remote attackers with user access can exploit this to execute unauthorized SQL commands, potentially resulting in arbitrary code execution or command injection.
  • Technical Details: The vulnerability occurs when user input is improperly sanitized before being used in SQL queries, allowing attackers to inject malicious SQL statements.

Both vulnerabilities require the attacker to have already obtained user-level access to the system.

However, once inside, the impact is severe, making prompt patching essential.

Risk Assessment and CVSS Scoring

To help organizations prioritize remediation, the Common Vulnerability Scoring System (CVSS) assigns a numeric score to each vulnerability.

Here’s how the two Qsync Central vulnerabilities stack up:

Mitigation and Remediation Steps

QNAP has already addressed these vulnerabilities in Qsync Central version 4.5.0.6 (released March 20, 2025) and later.

All users are strongly advised to update immediately to protect their systems.

How to Update Qsync Central:

1. Log on to QTS or QuTS hero as an administrator.
2. Open the App Center.
3. Type “Qsync Central” in the search box and press ENTER.
4. Click Update.
   • Note: The Update button will not be available if your Qsync Central is already up to date.
5. Click OK to confirm the update.
   • The system will automatically update the application.

Additional Recommendations:

• Monitor for unauthorized access: Regularly review user access logs and monitor for suspicious activity.
• Implement least privilege: Ensure users have only the permissions necessary for their roles.
• Backup critical data: Maintain up-to-date backups to recover from potential incidents.

Conclusion and Acknowledgments

The discovery and remediation of these vulnerabilities highlight the ongoing risks in widely used file synchronization solutions.

QNAP has acted swiftly to patch the issues, but users must apply updates promptly to mitigate risk.

Acknowledgements:

• CVE-2025-22482: Searat and izut
• CVE-2025-29892: coral

Revision History:
V1.0 (June 07, 2025) – Published

Attachments:

• CVE-2025-22482.json
• CVE-2025-29892.json

Organizations relying on Qsync Central should treat these vulnerabilities as high priority and ensure all instances are updated to version 4.5.0.6 or later.

Failure to patch could result in significant data loss, unauthorized access, and potential regulatory penalties.

To Upgrade Your Cybersecurity Skills, Take Diamond Membership With 150+ Practical Cybersecurity Courses Online – Enroll Here