QNAP QTS/QuTS hero Command Injection and Buffer Overflow Vulnerabilities (CVE-2025-22481/CVE-2024-56805)

Critical Vulnerability Information Vulnerability Overview Security ID: QSA-25-12 Release Date: June 7, 2025 CVE Identifiers: CVE-2025-22481, CVE-2024-56805 Affected Products: QTS 5.2.x, QuTS hero h5.2.x Severity: Important Status: Resolved Vulnerability Details CVE-2025-22481: Command Injection Vulnerability - If a remote attacker gains access to a user account, they can exploit this vulnerability to execute arbitrary commands. CVE-2024-56805: Buffer Overflow Vulnerability - If a remote attacker gains access to a user account, they can exploit this vulnerability to modify memory or cause process crashes. Affected Versions and Fixed Versions Recommended Actions Regularly update your system to the latest version to benefit from vulnerability fixes. You can check the product support status to learn about the latest updates for your NAS model. Update Steps 1. Log in to QTS or QuTS hero as an administrator. 2. Go to Control Panel > System > Firmware Update. 3. Under Live Update, click Check for Updates. - The system will download and install the latest available update. Attachments CVE-2024-56805.json CVE-2025-22481.json Acknowledgments Anonymous (CVE-2025-22485) Searat and izut (CVE-2025-22481, CVE-2024-56805) Version History V1.0 (June 7, 2025) - Released

Goal Reached Thanks to every supporter — we hit 100%!

QNAP QTS/QuTS hero Command Injection and Buffer Overflow Vulnerabilities (CVE-2025-22481/CVE-2024-56805)