QNAP has released security advisory QSA-26-10, addressing 14 vulnerabilities across its widely deployed NAS and surveillance platforms, including QTS, QuTS hero, QuTS cloud, and QVP (QVR Pro appliances).
Disclosed on April 6, 2026, and rated “Important” in severity, these flaws affect QTS 5.2.7, QuTS hero h5.2.8, QuTS cloud c5.2.8, and QVP 2.7.1. Patches are now available, and users are urged to update their firmware without delay.
The advisory covers a broad range of vulnerability classes, from input validation failures to memory corruption, that collectively pose serious risks to enterprise and SMB environments relying on QNAP devices for storage, backup, and video surveillance.
Critical QNAP NAS Flaws
CVE-2025-59382 is among the most immediately dangerous findings. This URL injection flaw allows remote, unauthenticated attackers to manipulate password reset links, redirecting victims to attacker-controlled pages and enabling credential harvesting at scale.
Three command injection vulnerabilities, CVE-2025-66273, CVE-2025-66279, and CVE-2026-22893, allow authenticated administrators to execute arbitrary system commands by supplying crafted input through username parameters or API calls.
Successful exploitation of any of these flaws could result in complete system compromise, underscoring the dangers of improper input sanitization in administrative interfaces.
Memory corruption flaws constitute the largest portion of QSA-26-10. Five stack overflow and stack-based buffer overflow vulnerabilities CVE-2025-62858, CVE-2025-68405, CVE-2026-26239, CVE-2026-26240, and CVE-2026-26241 can trigger memory corruption, service crashes, or unauthorized actions.
CVE-2026-26241 is particularly notable: it allows both authenticated and unauthenticated attackers to crash CGI components by uploading chunked files with excessively long filenames.
CVE-2026-22899 describes a NULL pointer dereference in utilRequest.cgi that low-privileged users can exploit to induce denial-of-service conditions.
A pre-authentication NULL pointer vulnerability, CVE-2025-66281, compounds the exposure; attackers can crash QNAP services by sending malformed HTTP requests without needing valid credentials whatsoever.
CVE-2026-24724, a broken access control flaw, enables unauthorized access to sensitive files, while CVE-2026-24720 allows attackers to exhaust CPU and memory resources through uncontrolled resource consumption, degrading device performance and availability in production environments.
CVE Summary Table
| CVE ID | Vulnerability Type |
|---|---|
| CVE-2025-59382 | URL injection |
| CVE-2025-66273 | Command injection (username parameter) |
| CVE-2025-66279 | Command injection (user deletion API) |
| CVE-2026-22893 | Command injection (privilege escalation) |
| CVE-2025-62858 | Stack overflow |
| CVE-2025-66280 | Stack manipulation |
| CVE-2025-68405 | Stack overflow |
| CVE-2026-26239 | Stack-based buffer overflow |
| CVE-2026-26240 | Stack-based buffer overflow (utilRequest.cgi) |
| CVE-2026-26241 | Stack-based buffer overflow (chunked upload) |
| CVE-2026-24724 | Broken access control |
| CVE-2026-22899 | NULL pointer dereference (utilRequest.cgi) |
| CVE-2026-24720 | Uncontrolled resource consumption (DoS) |
| CVE-2025-66281 | Pre-auth NULL pointer dereference (HTTP parsing) |
QNAP has resolved all 14 vulnerabilities in the following releases: QTS 5.2.9.3499, QuTS hero h5.2.9, QuTS cloud c5.2.9, and QVP 2.8.0. Updates can be applied through the firmware update mechanism in the control panel or by downloading patches directly from QNAP’s official website.
Given that QNAP NAS devices are frequently internet-facing in enterprise storage, backup, and video surveillance deployments, unpatched systems represent high-value targets for data exfiltration, ransomware staging, and lateral movement.
Organizations should prioritize firmware updates immediately, restrict access to the administrative interface, monitor logs for anomalous activity, and reduce direct internet exposure to limit their attack surface.
No Comment! Be the first one.