QNAP CVE coverage for NAS systems, backup workflows, storage services, and exposed SMB infrastructure.
Vendor watch hub
The QNAPwatch hub is a vendor-specific view inside ITECS MSP Threat Radar. We pull the latest security advisories, incidents, and known-exploited CVEs directly from the official feeds below, score each one for MSP relevance, and surface what's most likely to need attention this week.
At a glance
Tracked
Active
Featured
Unique CVEs
Most recent entry
Mar 20, 2026, 12:16 PM
Feed refreshes daily · 5:15 a.m. Central
Sources·CISA KEV and NVD (product vendor coverage)
"Most recent entry" is the newest item the upstream feed has published — not our sync time.
Watch items
Showing the 13 most recent items, newest first. Each row links to the official advisory.
13 rows · sorted newest first
Operations viewA missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system. We have already fixed the vulnerability in the following version: QVR Pro 2.7.4.14 and later
A buffer overflow vulnerability has been reported to affect Media Streaming Add-On. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Media Streaming Add-on 500.1.1 and later
QNAP VioStar NVR contains an OS command injection vulnerability that allows authenticated users to execute commands via a network.
Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign. Known ransomware use: Known.
QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files. Known ransomware use: Known.
QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system. Known ransomware use: Known.
QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files. Known ransomware use: Known.
QNAP QTS contains an improper input validation vulnerability allowing remote attackers to inject code on the system. Known ransomware use: Known.
A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code. Known ransomware use: Known.
A command injection vulnerability affecting QNAP NAS File Station could allow remote attackers to run commands. Known ransomware use: Known.
A cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code. Known ransomware use: Known.
QNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution.
QNAP NAS running HBS 3 contains an improper authorization vulnerability which can allow remote attackers to log in to a device. Known ransomware use: Known.
| Alert | Exposure | Status | Published | Source |
|---|---|---|---|---|
qvr pro vulnerability (CVE-2026-22898)A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system. We have already fixed the vulnerability in the following version: QVR Pro 2.7.4.14 and later qvr pro | CRITICALCVE-2026-22898 Watch | watch | Mar 20, 2026, 12:16 PM | NVDOpen source |
media streaming add-on vulnerability (CVE-2025-59383)A buffer overflow vulnerability has been reported to affect Media Streaming Add-On. The remote attackers can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following version: Media Streaming Add-on 500.1.1 and later media streaming add-on | LOWCVE-2025-59383 Watch | watch | Mar 20, 2026, 12:16 PM | NVDOpen source |
QNAP VioStor NVR OS Command Injection VulnerabilityQNAP VioStar NVR contains an OS command injection vulnerability that allows authenticated users to execute commands via a network. VioStor NVR | criticalCVE-2023-47565 Critical | active | Dec 20, 2023, 6:00 PM | CISA KEVOpen source |
QNAP Photo Station Externally Controlled Reference VulnerabilityCertain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign. Known ransomware use: Known. Photo Station | criticalCVE-2022-27593 Critical | active | Sep 7, 2022, 7:00 PM | CISA KEVOpen source |
QNAP Photo Station Path Traversal VulnerabilityQNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files. Known ransomware use: Known. Photo Station | criticalCVE-2019-7195 Critical | active | Jun 7, 2022, 7:00 PM | CISA KEVOpen source |
QNAP Photo Station Improper Access Control VulnerabilityQNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system. Known ransomware use: Known. Photo Station | criticalCVE-2019-7192 Critical | active | Jun 7, 2022, 7:00 PM | CISA KEVOpen source |
QNAP Photo Station Path Traversal VulnerabilityQNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files. Known ransomware use: Known. Photo Station | criticalCVE-2019-7194 Critical | active | Jun 7, 2022, 7:00 PM | CISA KEVOpen source |
QNAP QTS Improper Input Validation VulnerabilityQNAP QTS contains an improper input validation vulnerability allowing remote attackers to inject code on the system. Known ransomware use: Known. QTS | criticalCVE-2019-7193 Critical | active | Jun 7, 2022, 7:00 PM | CISA KEVOpen source |
QNAP NAS File Station Cross-Site Scripting VulnerabilityA cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code. Known ransomware use: Known. Network Attached Storage (NAS) | criticalCVE-2018-19953 Critical | active | May 23, 2022, 7:00 PM | CISA KEVOpen source |
QNAP NAS File Station Command Injection VulnerabilityA command injection vulnerability affecting QNAP NAS File Station could allow remote attackers to run commands. Known ransomware use: Known. Network Attached Storage (NAS) | criticalCVE-2018-19949 Critical | active | May 23, 2022, 7:00 PM | CISA KEVOpen source |
QNAP NAS File Station Cross-Site Scripting VulnerabilityA cross-site scripting vulnerability affecting QNAP NAS File Station could allow remote attackers to inject malicious code. Known ransomware use: Known. Network Attached Storage (NAS) | criticalCVE-2018-19943 Critical | active | May 23, 2022, 7:00 PM | CISA KEVOpen source |
QNAP Network-Attached Storage (NAS) Command Injection VulnerabilityQNAP NAS devices contain a command injection vulnerability which could allow attackers to perform remote code execution. QNAP Network-Attached Storage (NAS) | criticalCVE-2020-2509 Critical | active | Apr 10, 2022, 7:00 PM | CISA KEVOpen source |
QNAP NAS Improper Authorization VulnerabilityQNAP NAS running HBS 3 contains an improper authorization vulnerability which can allow remote attackers to log in to a device. Known ransomware use: Known. Network Attached Storage (NAS) | criticalCVE-2021-28799 Critical | active | Mar 30, 2022, 7:00 PM | CISA KEVOpen source |
ITECS response pathways
These pathways connect the vendor watch feed into service-owner resources that already carry commercial authority.
Use the backup & disaster recovery pathway when this vendor alert needs an ITECS-managed response plan.
Connect the vendor watch page to broader managed detection, response, and governance planning.
Translate current watch items into a faster risk snapshot and prioritized remediation plan.
Return to the hub for cross-vendor prioritization, live filtering, and broader MSP threat context.
Vendor watch FAQ
It is the QNAP-specific view inside ITECS Threat Radar, built to track recent advisories, incidents, and watch items that may affect Dallas-area business operations.
Use it to confirm whether current QNAP issues overlap with your environment, prioritize remediation, and decide whether you need an assessment, managed security follow-through, or vendor-specific hardening work.
Yes. ITECS can help map QNAP advisories against your systems, validate affected services, prioritize remediation, and connect the issue to broader managed cybersecurity or managed IT workflows.