[UPDATE] [medium] QNAP NAS: Multiple vulnerabilities
A remote, authenticated or anonymous attacker can exploit multiple vulnerabilities in QNAP NAS to gain elevated privileges, bypass security mechanisms, cause a Denial of Service condition, execute arbitrary commands, disclose information, or achieve unspecified impacts.
CSIRTS triage
- What
- Multiple vulnerabilities in QNAP NAS can be exploited to gain elevated privileges, bypass security mechanisms, cause Denial of Service, execute arbitrary commands, or disclose information.
- Who is affected
- Remote, authenticated or anonymous attackers targeting QNAP NAS devices.
- Urgency
- Remediation is urgent due to the wide range of impacts, including privilege escalation and remote code execution, although exploitation is not currently observed.
- Action
- Update QNAP NAS to the latest firmware to mitigate these vulnerabilities.
AI-assisted analysis generated from the source advisory — verify against the original.
⚡ Watch NAS
Get an email when a new NAS advisory drops — max one per day, one-click unsubscribe.
Details
Original advisory: https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-1966
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2025-593820.29% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 21% of all scored CVEs.
- Low exploitation riskCVE-2025-628580.45% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 36% of all scored CVEs.
- Moderate exploitation riskCVE-2025-662731.0% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 60% of all scored CVEs.
- Moderate exploitation riskCVE-2025-662791.0% 30-day exploitation probability. Patch within normal cadence, watch for KEV listing. Riskier than 60% of all scored CVEs.
- Low exploitation riskCVE-2025-662800.43% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 35% of all scored CVEs.
- Low exploitation riskCVE-2025-662810.46% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 37% of all scored CVEs.
- Low exploitation riskCVE-2026-228930.99% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 58% of all scored CVEs.
- Low exploitation riskCVE-2026-228990.28% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 20% of all scored CVEs.
- Low exploitation riskCVE-2026-247200.28% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 20% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2025-59382 | coverage & exploitation status | NVD · CVE.org |
| CVE-2025-62858 | coverage & exploitation status | NVD · CVE.org |
| CVE-2025-66273 | coverage & exploitation status | NVD · CVE.org |
| CVE-2025-66279 | coverage & exploitation status | NVD · CVE.org |
| CVE-2025-66280 | coverage & exploitation status | NVD · CVE.org |
| CVE-2025-66281 | coverage & exploitation status | NVD · CVE.org |
| CVE-2025-68405 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-22893 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-22899 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-24720 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-24724 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-26239 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-26240 | coverage & exploitation status | NVD · CVE.org |
| CVE-2026-26241 | coverage & exploitation status | NVD · CVE.org |
Same CVEs, other sources
How other CERTs, PSIRTs and databases cover the vulnerabilities in this advisory.
- unknownQNAP NAS Multiple Vulnerabilitieshkcert
Recent advisories for QNAP NAS
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- unknownQNAP NAS Multiple Vulnerabilitieshkcert · 2026-06-24
- criticalexploitedCVE-2018-19953: QNAP NAS File Station Cross-Site Scripting Vulnerabilitycisa-kev · 2022-05-24
- criticalexploitedCVE-2018-19949: QNAP NAS File Station Command Injection Vulnerabilitycisa-kev · 2022-05-24
- criticalexploitedCVE-2018-19943: QNAP NAS File Station Cross-Site Scripting Vulnerabilitycisa-kev · 2022-05-24
- criticalexploitedCVE-2020-2509: QNAP Network-Attached Storage (NAS) Command Injection Vulnerabilitycisa-kev · 2022-04-11
- criticalexploitedCVE-2021-28799: QNAP NAS Improper Authorization Vulnerabilitycisa-kev · 2022-03-31
More from CERT-Bund (BSI) Security Advisories
- medium[NEW] [medium] DENX U-Boot: Multiple vulnerabilities allow execution of arbitrary code and DoS2026-07-10
- medium[NEW] [medium] Samsung Android: Multiple vulnerabilities2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow unspecified attack2026-07-10
- medium[UPDATE] [medium] Linux Kernel: Multiple vulnerabilities allow denial of service2026-07-10