QNAP has released security updates to fix 14 vulnerabilities affecting its NAS and surveillance platforms, while also investigating a separate Linux kernel privilege escalation flaw impacting some devices.
Quick Summary – TLDR:
- QNAP patched 14 security vulnerabilities affecting QTS, QuTS hero, QuTS cloud, and QVP platforms.
- Several flaws could allow arbitrary command execution, credential theft, denial of service attacks, and unauthorized file access.
- One vulnerability can be exploited by unauthenticated attackers, increasing the risk for internet exposed devices.
- QNAP is also investigating a separate Copy Fail privilege escalation vulnerability affecting certain ARM64 NAS models.
What Happened?
QNAP has released firmware updates to address 14 security vulnerabilities across its storage and surveillance operating systems. The flaws range from command injection and buffer overflows to access control issues and denial of service vulnerabilities.
At the same time, the company has issued a separate advisory for a Linux kernel privilege escalation flaw known as Copy Fail, which remains under investigation and has not yet received a security patch.
QNAP has released security updates for multiple injection vulnerabilities affecting QTS, QuTS hero, QuTS cloud, and QVP.
— Clone Systems (@CloneSystemsInc) June 22, 2026
Several of the flaws could allow authenticated attackers to execute arbitrary commands, trigger denial of service conditions, bypass access controls, or… pic.twitter.com/Kec8GQP552
Multiple Vulnerabilities Could Lead to Command Execution
The most serious issues fixed by QNAP involve vulnerabilities that could allow attackers to execute commands on affected devices.
Among them are CVE-2025-66273, CVE-2025-66279, and CVE-2026-22893, all of which are command injection vulnerabilities. According to QNAP, authenticated administrators could exploit these flaws through crafted inputs and API functions to execute arbitrary system commands on the NAS.
The risk becomes more severe with CVE-2026-22893, which can enable command execution with elevated privileges. Successful exploitation could potentially give attackers deeper control over affected systems.
Another major issue, CVE-2025-59382, is a URL injection vulnerability. This flaw allows attackers to manipulate password reset links and redirect victims to attacker controlled password reset pages. Such attacks could be used to steal user credentials without directly compromising the device itself.
Memory Corruption and Service Crash Risks
A significant portion of the advisory focuses on memory handling vulnerabilities.
QNAP fixed several stack overflow and stack based buffer overflow flaws, including CVE-2025-62858, CVE-2025-068405, CVE-2026-26239, CVE-2026-26240, and CVE-2026-26241.
These vulnerabilities can lead to memory corruption, unexpected behavior, unauthorized actions, or service crashes.
One of the more concerning flaws is CVE-2026-26241, which can be exploited through excessively long filenames during chunked file uploads. Both authenticated and unauthenticated attackers may trigger the vulnerability and crash affected CGI processes.
Another flaw, CVE-2026-26240, can crash the utilRequest.cgi service when an overly long upload filename is processed.
Additional Security Issues Addressed
Beyond command execution and memory corruption risks, QNAP also patched several vulnerabilities that impact device availability and access controls.
CVE-2026-24724 is a broken access control vulnerability that may allow authenticated users to bypass intended restrictions and access sensitive files.
CVE-2026-24720 enables attackers to consume excessive CPU and memory resources, potentially degrading NAS performance and causing operational disruptions.
The company also addressed CVE-2025-66281, a pre authentication NULL pointer vulnerability that can be triggered using malformed HTTP requests. Because valid credentials are not required, attackers could potentially crash services remotely.
Similarly, CVE-2026-22899 allows low privileged authenticated users to trigger a denial of service condition through a NULL pointer dereference in utilRequest.cgi.
Affected Products and Fixed Versions
The vulnerabilities affect the following products:
- QTS 5.2.7
- QuTS hero h5.2.8
- QuTS cloud c5.2.8
- QVP 2.7.1
QNAP has released fixes in:
- QTS 5.2.9.3499
- QuTS hero h5.2.9
- QuTS cloud c5.2.9
- QVP 2.8.0
Administrators are advised to update affected systems immediately through the built in firmware update tools or by manually installing the latest firmware packages.
Separate Copy Fail Vulnerability Still Under Investigation
In a separate security advisory, QNAP disclosed that CVE-2026-31431, commonly known as Copy Fail, affects specific ARM64 NAS models running Linux Kernel 5.10.
The vulnerability could allow an authenticated non administrator user with code execution capabilities to gain elevated system privileges.
At present, QNAP is still developing security updates and no official patch has been released. The company recommends restricting shell access, limiting container deployments to trusted images, disabling unnecessary services, and avoiding direct internet exposure until fixes become available.
SQ Magazine Takeaway
I think this is one of the more important QNAP security updates in recent months because it combines several high impact vulnerabilities into a single patch cycle. The presence of command injection flaws, credential theft risks, and vulnerabilities that can be triggered without authentication makes rapid patching essential. Organizations that rely on QNAP devices for storage, backup, or surveillance should treat these updates as a priority, especially if any systems are accessible from the internet.
