QNAP has released security updates addressing multiple critical vulnerabilities in several of its applications, including a severe SQL injection flaw in QuMagie, the company’s photo management application for network-attached storage (NAS) devices.
SQL injection occurs when an attacker can insert malicious code into database queries, potentially allowing them to view, modify, or delete data they shouldn’t have access to. In the worst cases, attackers can gain complete control over the affected system.
The most severe vulnerability, tracked as CVE-2025-52425, affects QuMagie version 2.6.x. This SQL injection vulnerability has been rated as critical severity and could allow a remote attacker to execute unauthorized code or commands on affected systems.
QNAP has resolved the vulnerability in QuMagie version 2.7.0 and later. Users are strongly advised to update their installations immediately through the QTS or QuTS hero App Center.
Additional Security Updates
QNAP’s November 8 security advisory bundle also addressed vulnerabilities in several other applications including:
Download Station (QSA-25-37): Multiple vulnerabilities including a relative path traversal flaw and cross-site scripting (XSS) vulnerability. Fixed in version 5.10.0.305 for QTS 5.2.1 and version 5.10.0.304 for QuTS hero h5.2.1
File Station 5 (QSA-25-38): Multiple moderate-severity vulnerabilities including resource allocation issues, NULL pointer dereference flaws, and XSS vulnerabilities. Resolved in version 5.5.6.5018 and later
Notification Center (QSA-25-40): Cross-site scripting vulnerability that could allow attackers with administrator access to bypass security mechanisms
Qsync Central (QSA-25-41): Path traversal vulnerability allowing unauthorized file access
QuLog Center (QSA-25-42): XSS and cross-site request forgery (CSRF) vulnerabilities. Fixed in version 1.8.2.923
QuMagie (QSA-25-43): Additional relative path traversal vulnerability in version 2.7.x, resolved in version 2.7.3 and later
Several of the patched vulnerabilities were discovered during the Pwn2Own 2025 hacking competition, where security researchers demonstrate exploits against widely-used software and hardware. QNAP addressed:
QNAP users should immediately update all affected applications through their device’s App Center. For operating system updates, administrators can check for updates through Control Panel > System > Firmware Update.
Given the critical nature of several vulnerabilities and the widespread use of QNAP NAS devices in both home and business environments, prompt patching is essential to prevent potential exploitation.
Visit their official security advisories page here for update and additional information.
Leave a Reply