QNAP Fixes 14 Vulnerabilities in QTS, QuTS Hero, QuTS Cloud, and QVP

QNAP has issued security advisory QSA-26-10, which addresses 14 vulnerabilities affecting its widely used NAS and surveillance platforms, including QTS, QuTS hero, QuTS cloud, and QVP (QVR Pro appliances).

These vulnerabilities were disclosed on April 6, 2026, and are categorized as having “Important” severity. They impact the following versions: QTS 5.2.7, QuTS hero h5.2.8, QuTS cloud c5.2.8, and QVP 2.7.1.

The issues have been resolved in updated firmware releases, highlighting the critical importance of timely patch management for enterprise and SMB NAS deployments that are often exposed to internet-facing services.

QNAP Fixes 14 Vulnerabilities

Among the most critical vulnerabilities is CVE-2025-59382, a URL injection flaw that allows remote attackers to manipulate password reset links and redirect victims to pages under their control, potentially leading to credential harvesting.

Additionally, several command injection vulnerabilities, CVE-2025-66273, CVE-2025-66279, and CVE-2026-22893, enable authenticated administrators to execute arbitrary system commands through crafted input parameters such as usernames or API calls, which may result in complete system compromise.

These vulnerabilities demonstrate the risks associated with improper input sanitization in administrative interfaces.

Memory safety issues constitute a significant part of the advisory. Stack overflow and buffer overflow vulnerabilities, including CVE-2025-62858, CVE-2025-68405, CVE-2026-26239, CVE-2026-26240, and CVE-2026-26241, can be exploited to trigger memory corruption, service crashes, or unauthorized actions.

Notably, CVE-2026-26241 allows both authenticated and unauthenticated attackers to exploit chunked file uploads using excessively long filenames, leading to process crashes in CGI components. Similarly, CVE-2026-22899 describes a NULL pointer dereference in utilRequest.cgi that low-privileged users could exploit to cause denial-of-service conditions.

Other vulnerabilities include CVE-2026-24724, a broken access control flaw that enables unauthorized access to sensitive files, and CVE-2026-24720, which is an uncontrolled resource consumption issue that can be exploited to exhaust CPU and memory resources, thereby degrading system performance.

Another significant issue, CVE-2025-66281, is a pre-authentication NULL pointer vulnerability triggered by malformed HTTP requests, allowing attackers to crash services without needing valid credentials.

QNAP has addressed these vulnerabilities in the following versions: QTS 5.2.9.3499, QuTS hero h5.2.9, QuTS cloud c5.2.9, and QVP 2.8.0. Users are strongly advised to update their firmware immediately through the firmware update mechanism in the control panel or by manually downloading patches from QNAP’s official website.

Given the prevalence of NAS devices in enterprise storage, backup infrastructure, and video surveillance environments, unpatched systems could become prime targets for attackers seeking to exfiltrate data, establish persistence, or enable lateral movement.

The advisory emphasizes ongoing security challenges in NAS ecosystems, particularly in input validation, memory handling, and access control enforcement. Organizations using QNAP devices should prioritize prompt patching, restrict administrative access, monitor logs for suspicious activity, and reduce direct internet exposure to minimize their attack surface.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.