QNAP Patches Multiple Injection Vulnerabilities Leading to Arbitrary Command Execution
QNAP released urgent firmware updates fixing command injection, URL injection, and memory corruption flaws across QTS, QuTS hero, QuTS cloud, and QVP.
QNAP has released security updates to address a batch of critical vulnerabilities affecting its NAS operating systems, including QTS, QuTS hero, QuTS cloud, and QVP (QVR Pro appliances). The flaws, disclosed on April 6, 2026, impact versions QTS 5.2.7, QuTS hero h5.2.8, QuTS cloud c5.2.8, and QVP 2.7.1. QNAP classified the issues as “Important” severity and confirmed all reported vulnerabilities have been resolved in the latest firmware releases.
Among the most critical issues are several command injection vulnerabilities, including CVE-2025-66273, CVE-2025-66279, and CVE-2026-22893. These flaws allow authenticated administrators to inject arbitrary system commands via vulnerable parameters such as usernames or API inputs. Successful exploitation could result in full command execution on affected NAS devices, potentially enabling attackers to manipulate files, deploy malware, or pivot within internal networks. Notably, CVE-2026-22893 allows command execution with elevated privileges, increasing the overall risk.
In addition, CVE-2025-59382 exposes a URL injection vulnerability in the password reset mechanism. Attackers can craft malicious reset links and trick users into submitting credentials to attacker-controlled pages, leading to credential theft. Several vulnerabilities involve memory-handling issues, such as stack and buffer overflows. These include CVE-2025-62858, CVE-2025-68405, and CVE-2026-26239 through CVE-2026-26241. For example, CVE-2026-26240 and CVE-2026-26241 can be triggered by excessively long filenames during file uploads, leading to crashes in the utilRequest.CGI component. These flaws can lead to service disruption or instability in NAS operations.
Other vulnerabilities, such as CVE-2025-66280 and CVE-2025-66281, involve stack manipulation and NULL pointer dereference issues, allowing attackers to crash services with specially crafted requests. The advisory also includes CVE-2026-24724, a broken access control vulnerability that allows authenticated users to bypass restrictions and access sensitive files. Meanwhile, CVE-2026-24720 enables uncontrolled resource consumption, allowing attackers to exhaust CPU and memory resources, significantly degrading system performance. Additionally, CVE-2026-22899 allows low-privileged users to trigger a NULL pointer dereference, resulting in a denial-of-service condition.
QNAP has released security updates to address vulnerabilities detailed in advisory QSA-26-10, upgrading QTS to version 5.2.10, QuTS hero to h5.2.9, QuTS cloud to c5.2.9, and QVP to version 2.8.0. Users are strongly advised to update their systems immediately to mitigate potential exploitation risks. To update, administrators should log into their device interface, navigate to the firmware update section, and apply the latest available version. Alternatively, firmware can be downloaded manually from the QNAP Download Center.
Given the presence of multiple command injection and memory corruption flaws, organizations using QNAP NAS devices should prioritize patching and monitor for suspicious activity. Limiting administrative access, enforcing strong authentication, and reviewing system logs can further reduce exposure. With NAS devices often exposed to the internet, unpatched systems remain attractive targets for attackers seeking to exfiltrate data or establish a foothold on the network.