Security updates: Various attacks on Qnap NAS possible
If the prerequisites are met, attackers can attack Qnap network storage with far-reaching consequences.
(Image: Tatiana Popova/Shutterstock.com)
Multiple security vulnerabilities endanger Qnap NAS systems. Security patches are available for download. However, in many cases, attacks are not straightforward.
As indicated in the security section of the Qnap website, the vulnerabilities affect License Center, MARS, Qfiling, Qfinder Pro, Qsync, QuMagie, QVPN Device Client, QTS, and QuTS hero. Admins can find information on the security updates in the advisories linked below this post.
The vulnerabilities
Remote attackers can exploit a vulnerability (CVE-2025-59384 "high") in Qfiling, among other things, to view system data. The NAS operating systems QTS and QuTS hero are vulnerable through multiple flaws. For example, attackers can disable NAS systems via DoS attacks or access actually protected, secret data. However, attackers must have already gained control of an admin account to do so. An official classification of the threat level of these vulnerabilities on the NIST website is apparently still pending. CERT Bund from the Federal Office for Information Security (BSI) classifies the severity as "high".
Videos by heise
So far, there are no reports of attackers exploiting the vulnerabilities. It is also currently unclear how to identify already attacked instances.
Further information on security patches:
- Vulnerability in QuMagie
- Multiple Vulnerabilities in QTS and QuTS hero 1
- Multiple Vulnerabilities in QTS and QuTS hero 2
- Multiple Vulnerabilities in License Center
- Vulnerability in MARS (Multi-Application Recovery Service)
- Vulnerability in Qfiling
- Vulnerability in Qfinder Pro, Qsync, and QVPN Device Client (for Mac)
(des)
