QNAP QTS and QuTS hero NULL Pointer Dereference Vulnerability Leading to Denial-of-Service

A NULL pointer dereference vulnerability has been identified in QNAP QTS and QuTS hero operating systems. This vulnerability affects several different versions within the QTS 5.2.x and QuTS hero h5.2.x and h5.3.x series. If a remote attacker gains access to a user account, they can exploit this vulnerability to cause a denial-of-service (DoS) condition.

Impact

Exploitation of this vulnerability leads to a denial-of-service condition, causing affected systems to become unresponsive or unavailable.

Remediation

QNAP has released patches for this vulnerability in QTS 5.2.7.3256 build 20250913 and later, as well as in QuTS hero h5.2.7.3256 build 20250913 and later. For QuTS hero h5.3.x, the fixed version is QuTS hero h5.3.1.3250 build 20250912 and later. Users can update their systems through the QNAP Update Center or by downloading the latest version from the QNAP Download Center.