QNAP threat watch

QNAP CVE coverage for NAS systems, backup workflows, storage services, and exposed SMB infrastructure.

Watch items

Recent QNAP watch items

Showing the 20 most recent items, newest first. Each row links to the official advisory.

20 rows ยท sorted newest first

Operations view

file station vulnerability (CVE-2026-26241)

LOW
watchNVDCVE-2026-26241

A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later

Jun 10, 2026, 12:16 AMOfficial source

file station vulnerability (CVE-2026-26240)

LOW
watchNVDCVE-2026-26240

A buffer overflow vulnerability has been reported to affect File Station 5. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later

Jun 10, 2026, 12:16 AMOfficial source

file station vulnerability (CVE-2026-26239)

HIGH
watchNVDCVE-2026-26239

A buffer overflow vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5208 and later

Jun 9, 2026, 11:17 PMOfficial source

qumagie vulnerability (CVE-2026-26237)

HIGH
watchNVDCVE-2026-26237

A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later

Jun 9, 2026, 11:17 PMOfficial source

file station vulnerability (CVE-2026-24724)

HIGH
watchNVDCVE-2026-24724

An incorrect authorization vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to bypass intended access restrictions. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later

Jun 9, 2026, 11:17 PMOfficial source

qts vulnerability (CVE-2026-24719)

MEDIUM
watchNVDCVE-2026-24719

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later

Jun 9, 2026, 11:17 PMOfficial source

qts vulnerability (CVE-2026-24716)

LOW
watchNVDCVE-2026-24716

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3492 build 20260507 and later QuTS hero h5.2.9.3499 build 20260514 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later

Jun 9, 2026, 11:17 PMOfficial source

qts vulnerability (CVE-2026-22893)

HIGH
watchNVDCVE-2026-22893

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later

Jun 9, 2026, 11:17 PMOfficial source

qts vulnerability (CVE-2025-66281)

MEDIUM
watchNVDCVE-2025-66281

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later

Jun 9, 2026, 11:17 PMOfficial source

qts vulnerability (CVE-2025-66280)

MEDIUM
watchNVDCVE-2025-66280

An integer overflow or wraparound vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later

Jun 9, 2026, 11:17 PMOfficial source

qts vulnerability (CVE-2025-66279)

HIGH
watchNVDCVE-2025-66279

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later

Jun 9, 2026, 11:17 PMOfficial source

qts vulnerability (CVE-2025-66273)

HIGH
watchNVDCVE-2025-66273

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later

Jun 9, 2026, 11:17 PMOfficial source

quts hero vulnerability (CVE-2025-62850)

MEDIUM
watchNVDCVE-2025-62850

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later

Jun 9, 2026, 11:17 PMOfficial source

qts vulnerability (CVE-2025-66276)

CRITICAL
watchNVDCVE-2025-66276

QuTS hero is not affected. We have already fixed the vulnerability in the following version: QTS 5.2.7.3256 build 20250913 and later

Jun 9, 2026, 10:16 PMOfficial source

qumagie vulnerability (CVE-2026-44083)

HIGH
watchNVDCVE-2026-44083

An authorization bypass through user-controlled key vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to gain unintended privileges. We have already fixed the vulnerability in the following version: QuMagie 2.9.1 and later

Jun 9, 2026, 3:16 AMOfficial source

qumagie vulnerability (CVE-2026-26236)

HIGH
watchNVDCVE-2026-26236

A missing authorization vulnerability has been reported to affect QuMagie. The remote attackers can then exploit the vulnerability to access unauthorized data or perform unauthorized actions. We have already fixed the vulnerability in the following version: QuMagie 2.9.0 and later

Jun 9, 2026, 12:16 AMOfficial source

qunetswitch vulnerability (CVE-2026-22901)

MEDIUM
watchNVDCVE-2026-22901

A command injection vulnerability has been reported to affect QuNetSwitch. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later

Mar 20, 2026, 12:16 PMOfficial source

qunetswitch vulnerability (CVE-2026-22900)

MEDIUM
watchNVDCVE-2026-22900

A use of hard-coded credentials vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.5.0906 and later

Mar 20, 2026, 12:16 PMOfficial source

qvr pro vulnerability (CVE-2026-22898)

CRITICAL
watchNVDCVE-2026-22898

A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system. We have already fixed the vulnerability in the following version: QVR Pro 2.7.4.14 and later

Mar 20, 2026, 12:16 PMOfficial source

qunetswitch vulnerability (CVE-2026-22897)

HIGH
watchNVDCVE-2026-22897

A command injection vulnerability has been reported to affect QuNetSwitch. The remote attackers can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuNetSwitch 2.0.4.0415 and later

Mar 20, 2026, 12:16 PMOfficial source

Vendor watch hub

What this page covers

The QNAPwatch hub is a vendor-specific view inside ITECS MSP Threat Radar. We pull the latest security advisories, incidents, and known-exploited CVEs directly from the official feeds below, score each one for MSP relevance, and surface what's most likely to need attention this week.

  • Confirm whether recent QNAP activity overlaps with your environment.
  • Prioritize advisories by MSP-relevance score, severity, and status.
  • Turn the signal into an assessment, briefing, or managed-service engagement with ITECS.

At a glance

Tracked

55

Active

11

Featured

29

Unique CVEs

20

Most recent entry

Jun 10, 2026, 12:16 AM

Feed refreshes daily ยท 5:15 a.m. Central

SourcesยทCISA KEV and NVD (product vendor coverage)

"Most recent entry" is the newest item the upstream feed has published โ€” not our sync time.

Related vendors

Other security vendors in the radar

Vendor watch FAQ

Common questions

What is the QNAP threat watch page?

It is the QNAP-specific view inside ITECS Threat Radar, built to track recent advisories, incidents, and watch items that may affect Dallas-area business operations.

How should teams use the QNAP watch page?

Use it to confirm whether current QNAP issues overlap with your environment, prioritize remediation, and decide whether you need an assessment, managed security follow-through, or vendor-specific hardening work.

Can ITECS help respond to QNAP security issues?

Yes. ITECS can help map QNAP advisories against your systems, validate affected services, prioritize remediation, and connect the issue to broader managed cybersecurity or managed IT workflows.