Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN687 _____________________________________________________________________ DATE : 29/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running QTS versions prior to 5.2.9.3499, QuTS hero versions prior to 5.2.9, QuTS cloud versions prior to 5.2.9, QVP (QVR Pro appliances) versions prior to 2.8.0. ===================================================================== https://www.qnap.com/en-uk/security-advisory/qsa-26-10 _____________________________________________________________________ Security ID : QSA-26-10 Vulnerabilities in QTS, QuTS hero, QuTS cloud, and QVP (QVR Pro appliances) Release date : June 17, 2026 CVE identifier : CVE-2025-59382, CVE-2025-62858, CVE-2025-66273, CVE-2025-66279, CVE-2025-66280, CVE-2025-66281, CVE-2026-22893, CVE-2025-68405, CVE-2026-26240, CVE-2026-26239, CVE-2026-26241, CVE-2026-24724, CVE-2026-22899, CVE-2026-24720 Affected products: QTS 5.2.7, QuTS hero h5.2.8, QuTS cloud c5.2.8, QVP 2.7.1 Severity Important Status Resolved Summary Multiple vulnerabilities have been reported to affect QTS, QuTS hero, QuTS cloud and QVP (QVR Pro appliances): CVE-2025-59382: URL injection vulnerability A remote attacker can modify the password reset URL and trick a victim into visiting an attacker-controlled password reset page, leading to credential theft. CVE-2025-66273: Command injection vulnerability An authenticated administrator can inject arbitrary system commands through the username parameter, leading to command execution on the NAS. CVE-2025-66279: Command injection vulnerability in user deletion APIs An authenticated administrator can exploit this vulnerability to execute arbitrary commands on the NAS. CVE-2026-22893: Command injection vulnerability An authenticated administrator can exploit this vulnerability to execute arbitrary commands with elevated privileges. CVE-2025-62858: Stack overflow vulnerability If a remote attacker with administrator privileges exploits this vulnerability, they may cause memory corruption and unexpected system behavior. CVE-2025-66280: Stack manipulation vulnerability If an authenticated administrator exploits this vulnerability, they may cause unexpected system behavior or a denial-of-service condition. CVE-2025-68405: Stack overflow vulnerability If an authenticated administrator exploits this vulnerability, they may cause a denial-of-service condition. CVE-2026-26239: Stack-based buffer overflow If an authenticated user exploits this vulnerability, they may perform unauthorized actions. CVE-2026-26240: Stack-based buffer overflow An overly long upload filename can trigger a stack-based buffer overflow in utilRequest.cgi, resulting in a service crash. CVE-2026-26241: Stack-based buffer overflow An authenticated or unauthenticated remote attacker can supply an excessively long filename during chunked file uploads, triggering a stack-based buffer overflow and causing the affected CGI process to crash. CVE-2026-24724: Broken access control An authenticated user may bypass intended access restrictions and access sensitive files. CVE-2026-22899: NULL pointer dereference An authenticated low-privileged user can trigger a NULL pointer dereference in utilRequest.cgi, causing a segmentation fault and resulting in a denial-of-service condition. CVE-2026-24720: Uncontrolled resource consumption vulnerability An authenticated remote attacker can exploit the vulnerability to consume excessive system resources, causing high CPU and memory usage and degrading system responsiveness. CVE-2025-66281: Pre-authentication NULL pointer vulnerability A malformed HTTP request with a missing or empty content-length header can trigger a NULL pointer dereference, resulting in a denial-of-service condition. We have already fixed the vulnerabilities in the following version: Affected Product Fixed Version QVP 2.7.1 QVP 2.8.0 QuTS cloud c5.2.8 QuTS cloud C5.2.9 QTS version 5.2.7 QTS version 5.2.9.3499 QuTS hero h5.2.8 QuTS hero h5.2.9 Recommendation To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model. Updating QTS, QuTS hero, or QuTScloud Log in to QTS, QuTS hero, or QuTScloud as an administrator. Go to Control Panel > System > Firmware Update. Under Live Update, click Check for Update. The system downloads and installs the latest available update. Tip: You can also download the update from the QNAP website. Go to Support > Download Center and then perform a manual update for your specific device. Updating QVP (QVR Pro Appliances) Log in to QVP or QVR as an administrator. Go to Control Panel > System Settings > Firmware Update. Select the Firmware Update tab. Click Browse... to upload the latest firmware file. Tip: Download the latest firmware file for your specific device from https://www.qnap.com/go/download. Click Update System. The system installs the update. Attachment CVE-2025-68405.json CVE-2026-22893.json CVE-2025-66281.json CVE-2025-66280.json CVE-2025-66279.json CVE-2025-62858.json CVE-2025-66273.json CVE-2025-59382.json CVE-2026-26240.json CVE-2026-26239.json CVE-2026-26241.json CVE-2026-24724.json CVE-2026-22899.json CVE-2026-24720.json Revision History: V1.0 (June 17, 2026) - Published ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================