Vulnerabilities in QTS, QuTS hero, QuTS cloud, and QVP (QVR Pro appliances)

Summary

Multiple vulnerabilities have been reported to affect QTS, QuTS hero, QuTS cloud and QVP (QVR Pro appliances):

• CVE-2025-59382: URL injection vulnerability
  A remote attacker can modify the password reset URL and trick a victim into visiting an attacker-controlled password reset page, leading to credential theft.
   
• CVE-2025-66273: Command injection vulnerability
  An authenticated administrator can inject arbitrary system commands through the username parameter, leading to command execution on the NAS.
   
• CVE-2025-66279: Command injection vulnerability in user deletion APIs
  An authenticated administrator can exploit this vulnerability to execute arbitrary commands on the NAS.
   
• CVE-2026-22893: Command injection vulnerability
  An authenticated administrator can exploit this vulnerability to execute arbitrary commands with elevated privileges.
   
• CVE-2025-62858: Stack overflow vulnerability
  If a remote attacker with administrator privileges exploits this vulnerability, they may cause memory corruption and unexpected system behavior.
   
• CVE-2025-66280: Stack manipulation vulnerability
  If an authenticated administrator exploits this vulnerability, they may cause unexpected system behavior or a denial-of-service condition.
   
• CVE-2025-68405: Stack overflow vulnerability
  If an authenticated administrator exploits this vulnerability, they may cause a denial-of-service condition.
   
• CVE-2026-26239: Stack-based buffer overflow
  If an authenticated user exploits this vulnerability, they may perform unauthorized actions.
   
• CVE-2026-26240: Stack-based buffer overflow
  An overly long upload filename can trigger a stack-based buffer overflow in utilRequest.cgi, resulting in a service crash.
   
• CVE-2026-26241: Stack-based buffer overflow
  An authenticated or unauthenticated remote attacker can supply an excessively long filename during chunked file uploads, triggering a stack-based buffer overflow and causing the affected CGI process to crash.
   
• CVE-2026-24724: Broken access control
  An authenticated user may bypass intended access restrictions and access sensitive files.
   
• CVE-2026-22899: NULL pointer dereference
  An authenticated low-privileged user can trigger a NULL pointer dereference in utilRequest.cgi, causing a segmentation fault and resulting in a denial-of-service condition.
   
• CVE-2026-24720: Uncontrolled resource consumption vulnerability
  An authenticated remote attacker can exploit the vulnerability to consume excessive system resources, causing high CPU and memory usage and degrading system responsiveness.
   
• CVE-2025-66281: Pre-authentication NULL pointer vulnerability
  A malformed HTTP request with a missing or empty content-length header can trigger a NULL pointer dereference, resulting in a denial-of-service condition.
   

We have already fixed the vulnerabilities in the following version:

Recommendation

To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.

Updating QTS, QuTS hero, or QuTScloud

1. Log in to QTS, QuTS hero, or QuTScloud as an administrator.
2. Go to Control Panel > System > Firmware Update.
3. Under Live Update, click Check for Update.
   The system downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device.

Updating QVP (QVR Pro Appliances)

1. Log in to QVP or QVR as an administrator.
2. Go to Control Panel > System Settings > Firmware Update.
3. Select the Firmware Update tab.
4. Click Browse... to upload the latest firmware file.
   Tip: Download the latest firmware file for your specific device from https://www.qnap.com/go/download.
5. Click Update System.
   The system installs the update.