Qnap addresses critical security issues in NAS software

Multiple software vulnerabilities endanger Qnap NAS systems. Attackers can access devices and, in the worst case, gain full control. Security patches provide a remedy. So far, there are no reports of attackers exploiting the vulnerabilities. Owners of a Qnap NAS should ensure that all installed components are up to date.

As indicated in the security section of the Qnap website, the security problems affect the Media Streaming Add-on, QuFTP Service, QuNetSwitch (ADRA NDR), QuRouter, and QVR Pro components.

Various attacks conceivable

A “critical” vulnerability (CVE-2026-22898) in the QVR Pro IP video surveillance software is considered the most dangerous. According to a warning, due to a missing authentication in the context of a critical, undescribed function, remote attackers can gain access to systems. The developers assure that the vulnerability in QVR Pro 2.7.4.1485 has been closed.

Qnap rates the danger posed by four vulnerabilities in QuNetSwitch (ADRA NDR) as “critical.” Here, attackers can access network storage, among other things, due to hardcoded credentials (CVE-2026-22900 “medium”). By successfully exploiting the remaining vulnerabilities, attackers can execute their commands, among other things (e.g., CVE-2026-22901 “medium”). At this point, administrators must install QuNetSwitch 2.0.4.0415 or QuNetSwitch 2.0.5.0906.

Qnap also assigns a critical rating to the security vulnerabilities in QuRouter. Here, too, code execution can occur. However, local attackers already need administrator rights for this (e.g., CVE-2025-62845 “medium”). The developers state that QuRouter 2.6.3.009 has been repaired.

(des)