SB2025100642 - Multiple vulnerabilities in QNAP Qsync Central

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025100642

SB2025100642 - Multiple vulnerabilities in QNAP Qsync Central

Published: October 6, 2025

Security Bulletin ID SB2025100642
Severity
Medium
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.


1) Path traversal (CVE-ID: CVE-2025-33034)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.


2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-33039)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to allocation of resources without limits or throttling. A remote user can cause a denial of service condition on the target system.


3) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-33040)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to allocation of resources without limits or throttling. A remote user can cause a denial of service condition on the target system.


4) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-44006)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to allocation of resources without limits or throttling. A remote user can cause a denial of service condition on the target system.


5) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-44007)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to allocation of resources without limits or throttling. A remote user can cause a denial of service condition on the target system.


6) NULL pointer dereference (CVE-ID: CVE-2025-44008)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote user can pass specially crafted data to the application and perform a denial of service (DoS) attack.


7) NULL pointer dereference (CVE-ID: CVE-2025-44009)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote user can pass specially crafted data to the application and perform a denial of service (DoS) attack.


8) NULL pointer dereference (CVE-ID: CVE-2025-44010)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote user can pass specially crafted data to the application and perform a denial of service (DoS) attack.


9) NULL pointer dereference (CVE-ID: CVE-2025-44011)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote user can pass specially crafted data to the application and perform a denial of service (DoS) attack.


10) Out-of-bounds write (CVE-ID: CVE-2025-44014)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a boundary error when processing untrusted input. A remote user can trigger an out-of-bounds write and perform a denial of service (DoS) attack on the target system.


Remediation

Install update from vendor's website.

References