Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN670 _____________________________________________________________________ DATE : 07/10/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Qsync Central versions prior to 5.0.0.2 (2025/07/31). ===================================================================== https://www.qnap.com/fr-fr/security-advisory/qsa-25-35 https://www.qnap.com/fr-fr/security-advisory/qsa-25-34 _____________________________________________________________________ Security ID : QSA-25-35 Multiple Vulnerabilities in Qsync Central Release date : October 4, 2025 CVE identifier : CVE-2025-44012 | CVE-2025-47210 | CVE-2025-52867 | CVE-2025-53595 | CVE-2025-54153 Affected products: Qsync Central 5.0.0 Severity Important Status Resolved Summary Multiple vulnerabilities have been reported to affect Qsync Central: CVE-2025-44012: Allocation of resources without limits or throttling vulnerability If a remote attacker gains access to a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. CVE-2025-47210: NULL pointer dereference vulnerability If a remote attacker gains access to a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. CVE-2025-52867: Uncontrolled resource consumption vulnerability If a remote attacker gains access to a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. CVE-2025-53595, CVE-2025-54153: SQL injection vulnerabilities If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to execute unauthorized code or commands. We have already fixed the vulnerabilities in the following version: Affected Product Fixed Version Qsync Central 5.0.0 Qsync Central 5.0.0.2 (2025/07/31) and later Recommendation To fix the vulnerabilities, we recommend updating Qsync Central to the latest version. Updating Qsync Central Log on to QTS or QuTS hero as an administrator. Open App Center and then click . A search box appears. Type "Qsync Central" and then press ENTER. Qsync Central appears in the search results. Click Update. A confirmation message appears. Note: The Update button is not available if your Qsync Central is already up to date. Click OK. The system updates the application. Attachment CVE-2025-44012.json CVE-2025-47210.json CVE-2025-52867.json CVE-2025-53595.json CVE-2025-54153.json Acknowledgements: coral Revision History: V1.0 (October 4, 2025) - Published _____________________________________________________________________ Security ID : QSA-25-34 Multiple Vulnerabilities in Qsync Central Release date : October 4, 2025 CVE identifier : CVE-2025-33034 | CVE-2025-33039 | CVE-2025-33040 | CVE-2025-44006 | CVE-2025-44007 | CVE-2025-44008 | CVE-2025-44009 | CVE-2025-44010 | CVE-2025-44011 | CVE-2025-44014 Affected products: Qsync Central 4.x Severity Moderate Status Resolved Summary Multiple vulnerabilities have been reported to affect Qsync Central: CVE-2025-33034: Path traversal vulnerability If a remote attacker gains access to a user account, they can then exploit the vulnerability to read the contents of unexpected files or system data. CVE-2025-33039, CVE-2025-33040, CVE-2025-44006, CVE-2025-44007: Allocation of resources without limits or throttling vulnerabilities If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to prevent other systems, applications, or processes from accessing the same type of resource. CVE-2025-44008, CVE-2025-44009, CVE-2025-44010, CVE-2025-44011: NULL pointer dereference vulnerabilities If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to launch a denial-of-service (DoS) attack. CVE-2025-44014: Out-of-bounds write vulnerability If a remote attacker gains access to a user account, they can then exploit the vulnerability to modify or corrupt memory. We have already fixed the vulnerabilities in the following version: Affected Product Fixed Version Qsync Central 4.x Qsync Central 5.0.0.1 (2025/07/09) and later Recommendation To fix the vulnerabilities, we recommend updating Qsync Central to the latest version. Updating Qsync Central Log on to QTS or QuTS hero as an administrator. Open App Center and then click . A search box appears. Type "Qsync Central" and then press ENTER. Qsync Central appears in the search results. Click Update. A confirmation message appears. Note: The Update button is not available if your Qsync Central is already up to date. Click OK. The system updates the application. Attachment CVE-2025-33034.json CVE-2025-33039.json CVE-2025-33040.json CVE-2025-44006.json CVE-2025-44007.json CVE-2025-44008.json CVE-2025-44009.json CVE-2025-44010.json CVE-2025-44011.json CVE-2025-44014.json Acknowledgements: coral Revision History: V1.0 (October 4, 2025) - Published ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================