Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN168 _____________________________________________________________________ DATE : 16/02/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running QTS versions prior to 5.2.8.3350 build 20251216, QuTS hero versions prior to 5.2.8.3350 build 20251216, 5.3.2.3354 build 20251225. ===================================================================== https://www.qnap.com/fr-fr/security-advisory/qsa-26-05 https://www.qnap.com/fr-fr/security-advisory/qsa-26-08 _____________________________________________________________________ Security ID : QSA-26-05 Multiple Vulnerabilities in QTS and QuTS hero Release date : February 12, 2026 CVE identifier : CVE-2025-47205 | CVE-2025-58466 | CVE-2025-66277 Affected products: QTS 5.2.x, QuTS hero h5.2.x Severity Important Status Resolved Summary Multiple vulnerabilities has been reported to affect certain QNAP operating system versions: CVE-2025-58466: Use of uninitialized variable vulnerability If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to cause denial-of-service (DoS) conditions or modify control flow in unexpected ways. CVE-2025-47205: NULL pointer dereference vulnerability If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. CVE-2025-66277: Link following vulnerability If exploited, remote attackers can traverse the file system to unintended locations. We have already fixed the vulnerabilities in the following versions: Affected Product Fixed Version QTS 5.2.x QTS 5.2.8.3350 build 20251216 and later QuTS hero h5.2.x QuTS hero h5.2.8.3350 build 20251216 and later Recommendation To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model. Updating QTS or QuTS hero Log in to QTS or QuTS hero as an administrator. Go to Control Panel > System > Firmware Update. Under Live Update, click Check for Update. The system downloads and installs the latest available update. Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device. Attachment CVE-2025-58466.json CVE-2025-47205.json CVE-2025-66277.json Acknowledgements: coral Theori, with Xint Revision History: V1.0 (February 12, 2026) - Published _____________________________________________________________________ Security ID : QSA-26-08 Multiple Vulnerabilities in QuTS hero Release date : February 12, 2026 CVE identifier : CVE-2025-48725 | CVE-2025-59386 | CVE-2025-66274 Affected products: QuTS hero h5.3.x Severity Low Status Resolved Summary Multiple vulnerabilities have been reported to affect QuTS hero: CVE-2025-48725: Buffer overflow vulnerability If a remote attacker gains access to a user account, they can then exploit the vulnerability to modify memory or crash processes. CVE-2025-66274, CVE-2025-59386: NULL pointer dereference vulnerability If a remote attacker gains access to an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerabilities in the following version: Affected Product Fixed Version QuTS hero h5.3.x QuTS hero h5.3.2.3354 build 20251225 and later Recommendation To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model. Updating QuTS hero Log in to QuTS hero as an administrator. Go to Control Panel > System > Firmware Update. Under Live Update, click Check for Update. The system downloads and installs the latest available update. Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device. Attachment CVE-2025-66274.json CVE-2025-48725.json CVE-2025-59386.json Revision History: V1.0 (February 12, 2026) - Published ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================