Multiple Vulnerabilities in QNAP Tools Let Attackers Obtain Secret Data

Posted on By CWS

QNAP has patched a number of safety vulnerabilities in its License Heart utility that would permit attackers to entry delicate data or disrupt providers on affected NAS gadgets.

The problems, tracked as CVE-2025-52871 and CVE-2025-53597, have been disclosed on January 3, 2026.

QNAP rated the issues as Reasonable severity and confirmed that the problems have been resolved within the newest releases. The vulnerabilities have an effect on License Heart 2.0.x, a element used to handle licensing on QNAP programs.

Whereas the bugs aren’t described as unauthenticated distant exploits, QNAP notes that an attacker would first want entry to a legitimate account.

Which makes credential theft, weak passwords, or uncovered admin portals key danger elements.

Overview of the Safety Flaws

CVE-2025-52871 is an out-of-bounds learn vulnerability. In line with QNAP, if a distant attacker beneficial properties entry to a consumer account, they might exploit the flaw to acquire secret information.

CVE IDVulnerability TypeAffected ProductImpactCVE-2025-52871Out-of-bounds ReadLicense Heart 2.0.xA distant attacker with admin account can modify reminiscence or crash processesCVE-2025-53597Buffer OverflowLicense Heart 2.0.xA distant attacker with an admin account can modify reminiscence or crash processes

Out-of-bounds learn points sometimes permit unintended reminiscence disclosure, which might expose tokens, keys, or different delicate values relying on what’s saved in reminiscence throughout execution.

CVE-2025-53597 is a buffer overflow vulnerability. QNAP states that if a distant attacker beneficial properties entry to an administrator account.

They might exploit it to modify reminiscence or crash processes, probably inflicting instability or denial-of-service on affected programs. QNAP has mounted the vulnerabilities in License Heart 2.0.36 and later.

Organizations and residential customers working License Heart 2.0.x ought to replace instantly, particularly if the NAS is reachable from the web or shared throughout many customers.

Entry the QTS or QuTS hero administration interface and authenticate with administrator privileges. Navigate to App Heart from the system menu.

In App Heart, use the search operate to find License Heart. Choose the applying and click on Replace. Affirm the replace when prompted to finish the method. QNAP credited Coral for reporting the problems.

Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.

Cyber Security News Tags:, , , , , , ,

Related Posts

Network Intrusion Detection for Emerging 2025 Cyber Threats Cyber Security News
New Research Uncovers Connection Between VPN Apps and Multiple Security Vulnerabilities Cyber Security News
Malicious VS Code Extension as Icon Theme Attacking Windows and macOS Users Cyber Security News
HashiCorp Vault 0-Day Vulnerabilities Let Attackers Execute Remote Code Cyber Security News
Splunk Universal Forwarder on Windows Lets Non-Admin Users Access All Contents Cyber Security News
Want To Detect Incidents Before It’s Too Late? You Need Threat Intelligence Cyber Security News