Qnap Authenticator and other Products Vulnerable to Security Flaws

Qnap NAS

Qnap releases patches for several security issues in its products. The bugs affect Authenticator as well as various applications within the NAS ecosystem.

Qnap has patched security vulnerabilities in multiple versions of its products. These vulnerabilities affect several Qnap products, including Qnap Authenticator, Video Station, Qsync Central, QTS, QuTS hero, and NetBak Replicator. Users are advised to install the latest versions of the affected products to protect against potential attacks.

Multiple Issues

The vulnerabilities range from SQL injection and path traversal issues to memory issues that can lead to DoS attacks or unauthorized access. Different versions of Qnap products, such as Qnap Authenticator, Video Station, and Qsync Central, need to be patched. All vulnerabilities have now been fixed in the latest releases of the affected products.

  • Qnap Authenticator (ID: QSA-25-30): A vulnerability in Qnap Authenticator 1.3.x allows attackers with physical access to the device to compromise the system. This issue is fixed in version 1.3.1.1227 and later.
  • Video Station (ID: QSA-25-32): An SQL injection issue in Video Station 5.8.x allows attackers to execute unauthorized code. This is fixed in version 5.8.4 and later.
  • Qsync Central (ID: QSA-25-34 & QSA-25-35): Qsync Central 4.x and 5.0.0 contain multiple vulnerabilities, including path traversal, unbounded resource allocation, and NULL pointer dereference, which can lead to DoS attacks or unauthorized access. These have been fixed in version 5.0.0.1 and version 5.0.0.2, respectively.
  • QTS and QuTS hero (ID: QSA-25-36): Multiple vulnerabilities have been reported in QTS 5.2.x and QuTS hero h5.2.x, including path traversal, command injection, and NULL pointer dereference, allowing attackers to view system data, execute unauthorized commands, or launch a DoS attack. These vulnerabilities are fixed in version 5.2.6.3195 (2025/07/15) or later.
  • NetBak Replicator (ID: QSA-25-39): An issue in NetBak Replicator 4.5.x allows local attackers to execute unauthorized code. This issue is fixed in version 4.5.15.0807 and later.

Qnap advises all users of the affected products to install the latest versions.