QNAP Systems has issued critical security updates to address multiple vulnerabilities in its network-attached storage (NAS) operating systems, including QTS, QuTS hero, QuTS cloud, and QVP. These vulnerabilities, if exploited, could allow attackers to execute arbitrary commands, cause denial-of-service (DoS) conditions, and bypass access controls.
The security advisory, released on April 6, 2026, identifies several command injection vulnerabilities, notably CVE-2025-66273, CVE-2025-66279, and CVE-2026-22893. These flaws enable authenticated administrators to inject arbitrary system commands through vulnerable parameters such as usernames or API inputs. Successful exploitation could grant attackers full command execution capabilities on affected NAS devices, potentially leading to file manipulation, malware deployment, or lateral movement within internal networks. CVE-2026-22893 is particularly concerning as it allows command execution with elevated privileges, heightening the overall risk.
Another significant issue, CVE-2025-59382, involves a URL injection vulnerability in the password reset mechanism. Attackers can craft malicious reset links to deceive users into submitting credentials to attacker-controlled pages, resulting in credential theft.
Memory-handling vulnerabilities, including stack and buffer overflows, are also addressed. For instance, CVE-2026-26240 and CVE-2026-26241 can be triggered by excessively long filenames during file uploads, leading to crashes in the utilRequest.CGI component. Such flaws can disrupt services or destabilize NAS operations. Additionally, CVE-2025-66280 and CVE-2025-66281 involve stack manipulation and NULL pointer dereference issues, allowing attackers to crash services with specially crafted requests.
Other vulnerabilities include CVE-2026-24724, a broken access control flaw that permits authenticated users to bypass restrictions and access sensitive files, and CVE-2026-24720, which enables uncontrolled resource consumption, allowing attackers to exhaust CPU and memory resources, significantly degrading system performance. Furthermore, CVE-2026-22899 allows low-privileged users to trigger a NULL pointer dereference, resulting in a denial-of-service condition.
QNAP has released security updates to address these vulnerabilities, upgrading QTS to version 5.2.10, QuTS hero to h5.2.9, QuTS cloud to c5.2.9, and QVP to version 2.8.0. Users are strongly advised to update their systems immediately to mitigate potential exploitation risks. To update, administrators should log into their device interface, navigate to the firmware update section, and apply the latest available version. Alternatively, firmware can be downloaded manually from the QNAP Download Center.
Given the presence of multiple command injection and memory corruption flaws, organizations using QNAP NAS devices should prioritize patching and monitor for suspicious activity. Limiting network exposure of NAS devices and implementing robust access controls can further reduce the risk of exploitation.
Regularly updating firmware is crucial for maintaining the security and stability of NAS devices. The swift release of these patches underscores the importance of proactive vulnerability management in safeguarding sensitive data and ensuring uninterrupted service operations.
