VYPR
← All advisories
Unrated severityNVD Advisory· Published Feb 2, 2024· Updated Jun 17, 2025

QTS, QuTS hero, QuTScloud

CVE-2023-41292

Description

A buffer copy without checking size of input vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute code via a network.

We have already fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later QuTS hero h5.1.4.2596 build 20231128 and later QuTScloud c5.1.5.2651 and later

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A buffer copy without size check in QNAP QTS, QuTS hero, and QuTScloud allows authenticated administrators to execute code via network.

Vulnerability

A buffer copy without checking size of input vulnerability exists in QNAP QTS, QuTS hero, and QuTScloud operating systems. Affected versions include QTS 5.1.x, QuTS hero h5.1.x, and QuTScloud 5.x. The vulnerability is exploitable by authenticated administrators via network [1].

Exploitation

An authenticated administrator can send a specially crafted network request to trigger the buffer copy without proper size validation, leading to code execution. No additional user interaction or privileges beyond administrative access are required [1].

Impact

Successful exploitation allows an authenticated administrator to execute arbitrary code on the affected QNAP device. This can result in full compromise of the NAS, including data access, modification, and potential lateral movement within the network [1].

Mitigation

QNAP has fixed the vulnerability in the following versions: QTS 5.1.4.2596 build 20231128 and later, QuTS hero h5.1.4.2596 build 20231128 and later, and QuTScloud c5.1.5.2651 and later. Users should update their systems to these or later versions. No workarounds are provided; regular updates are recommended [1].

References
  1. Multiple Vulnerabilities in QTS, QuTS hero and QuTScloud - Security Advisory

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

6
  • Qnap/Qtsllm-fuzzy
    Range: <5.1.4.2596 build 20231128
  • Qnap/QuTS herollm-fuzzy
    Range: <h5.1.4.2596 build 20231128
  • Qnap/QuTScloudllm-fuzzy
    Range: <c5.1.5.2651
  • QNAP Systems Inc./QTSv5
    Range: 5.1.x
  • QNAP Systems Inc./QuTScloudv5
    Range: c5.x.x
  • QNAP Systems Inc./QuTS herov5
    Range: h5.1.x

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.