QNAP has patched a number of safety vulnerabilities in its License Heart utility that would permit attackers to entry delicate data or disrupt providers on affected NAS gadgets.
The problems, tracked as CVE-2025-52871 and CVE-2025-53597, have been disclosed on January 3, 2026.
QNAP rated the issues as Reasonable severity and confirmed that the problems have been resolved within the newest releases. The vulnerabilities have an effect on License Heart 2.0.x, a element used to handle licensing on QNAP programs.
Whereas the bugs aren’t described as unauthenticated distant exploits, QNAP notes that an attacker would first want entry to a legitimate account.
Which makes credential theft, weak passwords, or uncovered admin portals key danger elements.
Overview of the Safety Flaws
CVE-2025-52871 is an out-of-bounds learn vulnerability. In line with QNAP, if a distant attacker beneficial properties entry to a consumer account, they might exploit the flaw to acquire secret information.
CVE IDVulnerability TypeAffected ProductImpactCVE-2025-52871Out-of-bounds ReadLicense Heart 2.0.xA distant attacker with admin account can modify reminiscence or crash processesCVE-2025-53597Buffer OverflowLicense Heart 2.0.xA distant attacker with an admin account can modify reminiscence or crash processes
Out-of-bounds learn points sometimes permit unintended reminiscence disclosure, which might expose tokens, keys, or different delicate values relying on what’s saved in reminiscence throughout execution.
CVE-2025-53597 is a buffer overflow vulnerability. QNAP states that if a distant attacker beneficial properties entry to an administrator account.
They might exploit it to modify reminiscence or crash processes, probably inflicting instability or denial-of-service on affected programs. QNAP has mounted the vulnerabilities in License Heart 2.0.36 and later.
Organizations and residential customers working License Heart 2.0.x ought to replace instantly, particularly if the NAS is reachable from the web or shared throughout many customers.
Entry the QTS or QuTS hero administration interface and authenticate with administrator privileges. Navigate to App Heart from the system menu.
In App Heart, use the search operate to find License Heart. Choose the applying and click on Replace. Affirm the replace when prompted to finish the method. QNAP credited Coral for reporting the problems.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
