Critical QNAP Vulnerabilities Enable Unauthorized Remote Account Access

QNAP Systems has disclosed multiple critical security vulnerabilities affecting Qsync Central 4.5.x that could allow remote attackers to gain unauthorized access to user accounts and execute malicious code.

The vulnerabilities, identified as CVE-2025-22482 and CVE-2025-29892, were reported on June 7, 2025, and have been classified with “Important” severity ratings.

Both security vulnerabilities require an attacker to first gain access to a user account before exploitation can occur, but once compromised, they enable significant system access and data manipulation capabilities.

The first vulnerability, CVE-2025-22482, represents a use of externally-controlled format string vulnerability that poses serious security risks to affected systems.

This type of vulnerability occurs when user-controlled input is improperly handled in format string functions, allowing attackers to manipulate memory operations and potentially access sensitive data.

Security researchers Searat and izut are credited with discovering this critical vulnerabilities, which enables remote attackers to obtain secret data or modify system memory once they have gained initial access to a user account.

The second vulnerability, CVE-2025-29892, constitutes a SQL injection vulnerability that presents even more severe implications for system security.

Discovered by security researcher coral, this vulnerabilities allows remote attackers to execute unauthorized code or commands on the affected system.

SQL injection vulnerabilities are particularly dangerous as they can provide attackers with direct database access, enabling them to manipulate, extract, or destroy critical data stored within the application’s database infrastructure.

QNAP Vulnerabilities

Both vulnerabilities share a common attack vector requiring initial user account compromise, suggesting that attackers must first breach user credentials through phishing, credential stuffing, or other social engineering techniques.

However, once this initial access is obtained, the impact becomes significantly amplified.

The format string vulnerability in CVE-2025-22482 exploits improper input validation mechanisms, allowing attackers to craft malicious format specifiers that can read from or write to arbitrary memory locations.

The SQL injection vulnerability in CVE-2025-29892 demonstrates more severe potential consequences, as successful exploitation could grant attackers the ability to execute arbitrary commands on the underlying operating system.

This type of vulnerability typically occurs when user input is directly concatenated into SQL queries without proper sanitization or parameterization, creating opportunities for malicious SQL code injection.

QNAP has confirmed that these vulnerabilities affect all versions of Qsync Central 4.5.x prior to the security patch.

The company has already developed and released fixes for both vulnerabilities, with the patched version being Qsync Central 4.5.0.6, which was made available on March 20, 2025.

Remote Account Access

QNAP strongly recommends that all users running affected versions of Qsync Central immediately update to the latest version to mitigate these security risks.

The update process requires administrative access to either QTS or QuTS hero operating systems.

Users can update through the App Center by searching for “Qsync Central” and clicking the Update button, provided their system is not already running the patched version.

Organizations should prioritize this update as part of their security maintenance procedures, particularly given the potential for remote code execution.

Additionally, administrators should review user account security measures and implement strong authentication mechanisms to reduce the likelihood of initial account compromise that could enable exploitation of these vulnerabilities.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post Critical QNAP Vulnerabilities Enable Unauthorized Remote Account Access appeared first on Cyber Security News.