—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Vulnerability in QNAP NAS

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

QNAP QTS 4.3.x.

Overview

A vulnerability has been reported in QNAP product, which could allow a remote attacker to bypass security restrictions on the targeted system.

Target Audience:

Organizations and Individuals using affected QNAP devices and applications.

Risk Assessment:

Risk of unauthorized access or actions.

Impact Assessment:

Exposure of sensitive data or information.

Description

QNAP QTS is a network-attached storage (NAS) operating system widely used for file sharing, data backup, and multimedia services.

This vulnerability exist in QNAP due to misconfiguration of NFS (Network File System) settings that may allow a remote attacker to perform actions and potentially gain access to the targeted system.

Successful exploitation of this vulnerability could allow a remote attacker to bypass security restrictions on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://www.qnap.com/en/security-advisory/qsa-25-56

Vendor Information

QNAP

https://www.qnap.com/en/security-advisory/qsa-25-56

References

QNAP

https://www.qnap.com/en/security-advisory/qsa-25-56

CVE Name

CVE-2025-66276

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmmHJnYACgkQ3jCgcSdc

ys+jDQ//Z6jCfWf591EMjVdehvvHbpcIzuHdiGICIukdZN48wIB9M9HBVfD7gcJE

fWaGuxUx/VHTI1RQZIw4Pr6HGK+/xXt2UOvMybE+YPuIDR8QVdClVc49uMxC5kc4

H1kOA7Uh/U+k3MZaKUq8WgVwtoKrmOgOihsRxUalKH+HVAF7LwqGkKu67TSl36iw

xFoAQLP2O5tpdR3aEnHXnnr6Jc3G/IQWaFfoGt20DXLj27kR8wO8NtFpVOKND8bC

V8nrv8aFWIj3HzvQEiytIMMpWdculgdkAe6fLYz4zDmeV7H1xpgj0Nl4ANspWzij

TTrGb6BwAiqMDzpLK/FHTL/09djByrLuI8JImdubVmWnqVz3+JZdguREZQVRExOW

ygBLCnx12wEGwnD8ydwAkOlXuT84KWd11IvAX7fu5t8dXHFfZLG/asTAxdnHvIqL

oa8+Ufn08L5D3Dw8qIgqsbrWONUPEuQIdsskntb7LKPJo66kW7XRNcWJsVEgFR4p

M5q85n1kEOurAI0e8WdT/Hd7mb4IaKeSLmyEVcYoLqmtXEsYXUzvS3GW2csRTSd0

cH3e4E0xK47lbMRtINxCEwlnL53OH51e5asRmpnXRWWU847imgOkRJY8XfIMbzrv

1GU5+dPicq6PYNBOXWcgS4GCw6lHzZGwF84ZpgFb6D/G9cTLjrU=

=J9hp

—–END PGP SIGNATURE—–