--- title: "QNAP Patches 14 Dangerous Flaws Affecting NAS Systems" date: 2026-06-22 author: "Sofia Ramirez" featured_image: "https://sqmagazine.co.uk/wp-content/uploads/2026/06/qnap-patches-14-different-vulnerabiltiies.jpg" categories: - name: "Cybersecurity" url: "/cybersecurity.md" tags: - name: "News" url: "/tag/news.md" --- # QNAP Patches 14 Dangerous Flaws Affecting NAS Systems QNAP has released security updates to fix 14 vulnerabilities affecting its NAS and surveillance platforms, while also investigating a separate Linux kernel privilege escalation flaw impacting some devices. ## Quick Summary – TLDR: - QNAP patched 14 security vulnerabilities affecting QTS, QuTS hero, QuTS cloud, and QVP platforms. - Several flaws could allow arbitrary command execution, credential theft, denial of service attacks, and unauthorized file access. - One vulnerability can be exploited by unauthenticated attackers, increasing the risk for internet exposed devices. - QNAP is also investigating a separate Copy Fail privilege escalation vulnerability affecting certain ARM64 NAS models. ## What Happened? QNAP has released firmware updates to address **14 security vulnerabilities** across its storage and surveillance operating systems. The flaws range from command injection and buffer overflows to access control issues and **denial of service vulnerabilities**. At the same time, the company has issued a separate advisory for a Linux kernel privilege escalation flaw known as Copy Fail, which remains under investigation and has not yet received a security patch. > QNAP has released security updates for multiple injection vulnerabilities affecting QTS, QuTS hero, QuTS cloud, and QVP. > > Several of the flaws could allow authenticated attackers to execute arbitrary commands, trigger denial of service conditions, bypass access controls, or… [pic.twitter.com/Kec8GQP552](https://t.co/Kec8GQP552) > > — Clone Systems (@CloneSystemsInc) [June 22, 2026](https://x.com/CloneSystemsInc/status/2069029489707831753?ref_src=twsrc%5Etfw) ## Multiple Vulnerabilities Could Lead to Command Execution The most serious issues fixed by QNAP involve vulnerabilities that could allow attackers to execute commands on affected devices. Among them are **CVE-2025-66273**, **CVE-2025-66279**, and **CVE-2026-22893**, all of which are command injection vulnerabilities. According to QNAP, authenticated administrators could exploit these flaws through crafted inputs and API functions to execute arbitrary system commands on the NAS. The risk becomes more severe with **CVE-2026-22893**, which can enable command execution with elevated privileges. Successful exploitation could potentially give attackers deeper control over affected systems. Another major issue, **CVE-2025-59382**, is a URL injection vulnerability. This flaw allows attackers to manipulate password reset links and redirect victims to attacker controlled password reset pages. Such attacks could be used to steal user credentials without directly compromising the device itself. ## Memory Corruption and Service Crash Risks A significant portion of the advisory focuses on memory handling vulnerabilities. QNAP fixed several stack overflow and stack based buffer overflow flaws, including **CVE-2025-62858**, **CVE-2025-068405**, **CVE-2026-26239**, **CVE-2026-26240**, and **CVE-2026-26241**. These vulnerabilities can lead to memory corruption, unexpected behavior, unauthorized actions, or service crashes. One of the more concerning flaws is **CVE-2026-26241**, which can be exploited through excessively long filenames during chunked file uploads. Both authenticated and unauthenticated attackers may trigger the vulnerability and crash affected CGI processes. Another flaw, **CVE-2026-26240**, can crash the **utilRequest.cgi** service when an overly long upload filename is processed. ## Additional Security Issues Addressed Beyond command execution and memory corruption risks, QNAP also patched several vulnerabilities that impact device availability and access controls. **CVE-2026-24724** is a broken access control vulnerability that may allow authenticated users to bypass intended restrictions and access sensitive files. **CVE-2026-24720** enables attackers to consume excessive CPU and memory resources, potentially degrading NAS performance and causing operational disruptions. The company also addressed **CVE-2025-66281**, a pre authentication NULL pointer vulnerability that can be triggered using malformed HTTP requests. Because valid credentials are not required, attackers could potentially crash services remotely. Similarly, **CVE-2026-22899** allows low privileged authenticated users to trigger a denial of service condition through a NULL pointer dereference in utilRequest.cgi. ## Affected Products and Fixed Versions The vulnerabilities affect the following products: - **QTS 5.2.7** - **QuTS hero h5.2.8** - **QuTS cloud c5.2.8** - **QVP 2.7.1** QNAP has released fixes in: - **QTS 5.2.9.3499** - **QuTS hero h5.2.9** - **QuTS cloud c5.2.9** - **QVP 2.8.0** Administrators are advised to update affected systems immediately through the built in firmware update tools or by manually installing the latest firmware packages. ## Separate Copy Fail Vulnerability Still Under Investigation In a separate security advisory, QNAP disclosed that **CVE-2026-31431**, commonly known as **[Copy Fail](https://sqmagazine.co.uk/copy-fail-linux-critical-vulnerability-risk/)**, affects specific ARM64 NAS models running Linux Kernel 5.10. The vulnerability could allow an authenticated non administrator user with code execution capabilities to gain elevated system privileges. At present, QNAP is still developing security updates and no official patch has been released. The company recommends restricting shell access, limiting container deployments to trusted images, disabling unnecessary services, and avoiding direct internet exposure until fixes become available. ## SQ Magazine Takeaway I think this is one of the more important **QNAP security updates** in recent months because it combines several high impact vulnerabilities into a single patch cycle. The presence of command injection flaws, credential theft risks, and vulnerabilities that can be triggered without authentication makes rapid patching essential. Organizations that rely on QNAP devices for storage, backup, or surveillance should treat these updates as a priority, especially if any systems are accessible from the internet.