QNAP Patches Critical SQL Injection Vulnerabilities in QTS and QuTS Hero

Key Takeaways

• QNAP has released critical security updates for its NAS operating systems: QTS, QuTS hero, QuTS cloud, and QVP.
• The patches address numerous vulnerabilities, including severe command injection flaws, memory corruption issues, and access control bypasses.
• Exploitation of these vulnerabilities could lead to arbitrary command execution, denial-of-service, and credential theft.
• Affected versions include QTS 5.2.7, QuTS hero h5.2.8, QuTS cloud c5.2.8, and QVP 2.7.1.
• Users are urged to update immediately to QTS 5.2.10, QuTS hero h5.2.9, QuTS cloud c5.2.9, and QVP 2.8.0 to mitigate significant risks.

QNAP, a leading provider of network-attached storage (NAS) solutions, has issued urgent security advisories detailing patches for a range of critical vulnerabilities affecting its core operating systems. These updates are crucial for users of QTS, QuTS hero, QuTS cloud, and QVP (QVR Pro appliances), as the flaws could enable threat actors to gain full control over devices, disrupt services, or steal sensitive information.

The advisory, released on April 6, 2026, outlines several “Important” severity issues, including command injection, memory handling errors, and access control bypasses. These vulnerabilities collectively pose a significant risk to unpatched systems, potentially allowing attackers to execute arbitrary code, trigger denial-of-service conditions, or circumvent security measures.

Critical Command Injection and URL Injection Flaws

Among the most severe vulnerabilities addressed are several command injection flaws, identified as CVE-2025-66273, CVE-2025-66279, and CVE-2026-22893. These weaknesses permit authenticated administrators to inject arbitrary system commands through various vulnerable parameters, such as usernames or API inputs. Successful exploitation could grant attackers complete command execution capabilities on the compromised NAS device, enabling data manipulation, malware deployment, or lateral movement within an organization’s network.

Specifically, CVE-2026-22893 is particularly concerning as it facilitates command execution with elevated privileges, amplifying the potential impact. Furthermore, CVE-2025-59382 highlights a URL injection vulnerability within the password reset mechanism. This flaw could allow attackers to craft malicious password reset links, redirecting users to attacker-controlled pages to harvest credentials.

Memory Corruption and Denial-of-Service Issues

The security updates also address a series of memory-handling vulnerabilities, including stack and buffer overflows. These encompass CVE-2025-62858, CVE-2025-68405, and a cluster of issues from CVE-2026-26239 through CVE-2026-26241. For instance, CVE-2026-26240 and CVE-2026-26241 can be triggered by excessively long filenames during file uploads, leading to crashes within the utilRequest.CGI component. Such flaws can result in system instability and service disruptions.

Other vulnerabilities, such as CVE-2025-66280 and CVE-2025-66281, involve stack manipulation and NULL pointer dereference issues, which attackers could leverage to crash critical services with specially crafted requests.

Access Control Bypass and Resource Exhaustion

The advisory further details CVE-2026-24724, a broken access control vulnerability that allows authenticated users to bypass established restrictions and gain unauthorized access to sensitive files. Another significant flaw, CVE-2026-24720, involves uncontrolled resource consumption, enabling attackers to exhaust CPU and memory resources, severely degrading system performance and potentially leading to a denial-of-service state.

Additionally, CVE-2026-22899 allows low-privileged users to trigger a NULL pointer dereference, which can also result in a denial-of-service condition.

Affected Versions and Patches

The vulnerabilities impact QTS version 5.2.7, QuTS hero h5.2.8, QuTS cloud c5.2.8, and QVP 2.7.1. QNAP has released comprehensive security updates, as detailed in advisory QSA-26-10. The patched versions are QTS 5.2.10, QuTS hero h5.2.9, QuTS cloud c5.2.9, and QVP 2.8.0.

What You Should Do

• Immediately Update Firmware: Log into your QNAP device’s administration interface, navigate to the firmware update section, and apply the latest available version. Alternatively, download the firmware manually from the QNAP Download Center.
• Limit Administrative Access: Restrict administrative privileges to only essential personnel and enforce the principle of least privilege.
• Implement Strong Authentication: Ensure all user accounts, especially administrative ones, utilize strong, unique passwords and enable multi-factor authentication (MFA) where available.
• Monitor System Logs: Regularly review QNAP system logs for any unusual activity or signs of compromise.
• Isolate NAS Devices: If possible, place NAS devices behind firewalls and limit their exposure to the public internet, particularly for administrative interfaces.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.