QNAP QTS and QuTS hero Out-of-Bounds Read Vulnerability Allowing Data Exposure

A vulnerability allowing out-of-bounds read has been identified in multiple versions of QNAP's operating systems, specifically QTS 5.2.x and QuTS hero h5.2.x and h5.3.x. This vulnerability can be exploited by remote attackers who have gained access to an administrator account, enabling them to access secret data. The issue arises from improper handling of memory, which could be exploited to read data outside the intended boundaries, potentially leading to unauthorized information disclosure.

Impact

Exploitation of this vulnerability could result in unauthorized access to sensitive data.

Remediation

Users can update to QTS 5.2.7.3256 build 20250913 or later, or QuTS hero h5.2.7.3256 build 20250913 and later for versions h5.3.x, QuTS hero h5.3.1.3250 build 20250912 and later. Instructions for updating QTS or QuTS hero are available on the QNAP website.