QNAP Security Flaws Enable Unauthorized Remote Access to User Accounts

Multiple severe security vulnerabilities were reported affecting QNAP’s Qsync Central, a widely used file synchronization service for QNAP NAS devices.

Two major issues—CVE-2025-22482 and CVE-2025-29892—pose significant risks, potentially allowing remote attackers who gain access to user accounts to escalate privileges, steal sensitive information, or execute unauthorized commands.

CVE-2025-22482: Externally-Controlled Format String Vulnerability

This vulnerability arises from improper handling of externally supplied input in format strings within Qsync Central.

An attacker with access to a user account can exploit this to manipulate memory, which may lead to information disclosure or even arbitrary code execution.

Technically, the flaw can be understood via the classic format string attack scenario.

For example, if user input is directly passed to a printf-style function without validation, an attacker can inject format specifiers like %x, %n to read or write memory locations:

Improper sanitization allows memory manipulation that can expose secrets such as authentication tokens or modify application behavior.

CVE-2025-29892: SQL Injection Vulnerability

The second vulnerability is an SQL injection flaw, where untrusted input is concatenated into SQL queries without proper sanitization.

This enables an attacker who has already compromised a user account to execute arbitrary SQL commands on the backend database.

If user_input is crafted maliciously (e.g., '; DROP TABLE users;--), it could lead to unauthorized data manipulation or extraction.

This vulnerability is particularly dangerous because it may allow attackers to escalate privileges beyond their initial access scope or disrupt service availability by damaging the database.

Recommended Action: Update to Qsync Central 4.5.0.6 or Later

QNAP addressed these issues in Qsync Central version 4.5.0.6, released on March 20, 2025.

The update includes patches that properly validate user inputs to eliminate format string and SQL injection vulnerabilities.

Affected Versions: All Qsync Central 4.5.x releases prior to 4.5.0.6
Fixed Version: Qsync Central 4.5.0.6 and later

• Immediate Update: Administrators should upgrade Qsync Central to version 4.5.0.6 or the latest available version without delay.
• Access Controls: Restrict user account access and monitor logs for unusual activity, especially from accounts with elevated privileges.
• Input Sanitization: Review and audit any custom scripts or integrations with Qsync Central for similar input handling issues.

By promptly applying the patch, QNAP users can protect their data from potential remote exploits that could otherwise compromise NAS security and confidentiality.

This incident highlights the ongoing need for rigorous input validation and secure coding practices in network storage solutions.