Qnap QTS and QuTs hero Improper Neutralization of Input During Web Page Generation (CVE-2023-32969)

A cross-site scripting XSS vulnerability has been reported to affect Network & Virtual Switch. If exploited, the vulnerability could allow authenticated administrators to inject malicious code via a network. We have already fixed the vulnerability in the following versions: QuTScloud c5.1.5.2651...

CVE-2025-47208

An allocation of resources without limits or throttling vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same...

CVE-2025-53596 QTS, QuTS hero

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service DoS attack. We have already fixed the vulnerability in the...

PT-2025-46141

Name of the Vulnerable Software and Affected Versions Hyper Data Protector versions prior to 2.2.4.1 Description An SQL injection issue exists in Hyper Data Protector. Successful exploitation could allow remote attackers to execute unauthorized code or commands. Recommendations Update to Hyper Da...

PT-2025-46139

Name of the Vulnerable Software and Affected Versions Malware Remover versions prior to 6.6.8.20251023 Description An improper control of generation of code issue exists in Malware Remover, potentially allowing remote attackers to bypass protection mechanisms. Recommendations Update to Malware...

CVE-2025-52433

CVE-2025-52433 describes a NULL pointer dereference in QNAP QTS and QuTS hero that can be exploited to cause a DoS when an attacker gains an administrator account. Affected products: QTS and QuTS hero operating systems. Root cause: NULL pointer dereference in the vulnerable code path. Impact: rem...

CVE-2025-48727

The CVE-2025-48727 issue is a NULL pointer dereference in QNAP QTS and QuTS hero. A remote attacker with administrator privileges could cause a DoS. Affected versions are QTS and QuTS hero prior to the fixed release; remediation is to upgrade to QTS 5.2.6.3195 build 20250715 or later and QuTS her...

CVE-2025-48727 QTS, QuTS hero

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service DoS attack. We have already fixed the vulnerability in the...

CVE-2025-47212 QTS, QuTS hero

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS...

CVE-2025-30267

CVE-2025-30267: A NULL pointer dereference vulnerability in QNAP QTS and QuTS hero. A remote attacker who has a user account can trigger a denial-of-service (DoS). Fixed in QTS 5.2.5.3145 build 20250526 and later and QuTS hero h5.2.5.3138 build 20250519 and later.

Vulnerabilities fixed in QNAP QTS and QTS Hero

QNAP has fixed vulnerabilities in QTS and QTS Hero. A malicious party can exploit the vulnerabilities to launch attacks execute attacks that can result in the following categories of damage: Bypassing authentication. Circumvention of security measure Remote code execution Administrator/Root right...

CVE-2020-2508

A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. QNAP have already fixed this vulnerability in the following versions: QTS 4.5.1.1456 build 20201015 and...