Changeflow GovPing Data Privacy & Cybersecurity Qnap Products Security Vulnerabilities
Priority review Notice Added Final

Qnap Products Security Vulnerabilities

Favicon for www.cert.ssi.gouv.fr CERT-FR Security Advisories
Published March 23rd, 2026
Detected March 23rd, 2026
Email

Summary

CERT-FR has issued an advisory regarding multiple security vulnerabilities discovered in Qnap products. These vulnerabilities could allow attackers to achieve remote arbitrary code execution, denial of service, and data confidentiality breaches. Users are advised to consult Qnap's security bulletins for patch information.

View original document View source feed page

What changed

CERT-FR, the French national cybersecurity agency, has published an advisory (CERTFR-2026-AVI-0336) detailing multiple critical security vulnerabilities affecting various Qnap product lines, including Media Streaming, QuFTP Service, QuNetSwitch, QuRouter, and QVR Pro. The vulnerabilities, identified by CVEs such as CVE-2025-59383 and CVE-2026-22895, can lead to remote arbitrary code execution, remote denial of service, and breaches of data confidentiality.

Organizations utilizing affected Qnap devices must immediately consult the vendor's security bulletins (QSA-26-07 through QSA-26-15) and apply the provided patches to mitigate these risks. Failure to do so could result in significant data breaches, system compromise, and operational disruption. This advisory highlights the ongoing threat landscape for network-attached storage devices and the importance of timely patching.

What to do next

  1. Consult Qnap security bulletins for affected product versions.
  2. Apply available patches and firmware updates to Qnap devices.
  3. Review system logs for any signs of compromise.

Source document (simplified)

Premier Ministre S.G.D.S.N

Agence nationale
de la sécurité des
systèmes d'information

Paris, le 23 mars 2026 N° CERTFR-2026-AVI-0336 Affaire suivie par: CERT-FR

Avis du CERT-FR

Objet: Multiples vulnérabilités dans les produits Qnap

Gestion du document

| Référence | CERTFR-2026-AVI-0336 |
| Titre | Multiples vulnérabilités dans les produits Qnap |
| Date de la première version | 23 mars 2026 |
| Date de la dernière version | 23 mars 2026 |
| Source(s) | Bulletin de sécurité Qnap QSA-26-07 du 21 mars 2026
Bulletin de sécurité Qnap QSA-26-09 du 21 mars 2026
Bulletin de sécurité Qnap qsa-26-11 du 21 mars 2026
Bulletin de sécurité Qnap QSA-26-12 du 21 mars 2026
Bulletin de sécurité Qnap QSA-26-15 du 21 mars 2026 |
Une gestion de version détaillée se trouve à la fin de ce document.

Risques

  • Atteinte à la confidentialité des données
  • Contournement de la politique de sécurité
  • Déni de service à distance
  • Exécution de code arbitraire à distance
  • Injection de code indirecte à distance (XSS)

Systèmes affectés

  • greffon Media Streaming versions 500.1.x antérieures à 500.1.1
  • QuFTP Service versions 1.4.x antérieures à 1.4.3
  • QuFTP Service versions 1.5.x antérieures à 1.5.2
  • QuFTP Service versions 1.6.x antérieures à 1.6.2
  • QuNetSwitch versions 2.0.4.x antérieures à 2.0.4.0415
  • QuNetSwitch versions 2.0.5.x antérieures à 2.0.5.0906
  • QuRouter versions 2.6.x antérieures à 2.6.3.009
  • QVR Pro versions 2.7.x antérieures à 2.7.4.14

Résumé

De multiples vulnérabilités ont été découvertes dans les produits Qnap. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et une atteinte à la confidentialité des données.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Documentation

Gestion détaillée du document

  1. le 23 mars 2026 Version initiale

Named provisions

Risques Systèmes affectés Résumé Solutions Documentation

Related changes

Favicon for www.cert.ssi.gouv.fr Citrix Products Vulnerabilities
Urgent Mar 23, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for www.cert.ssi.gouv.fr Synology Products Vulnerability Allows Remote Code Execution
Priority review Mar 23, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for www.cert.ssi.gouv.fr CPython Vulnerability Allows Security Policy Bypass
Priority review Mar 23, 2026 CERT-FR Security Advisories Data Privacy & Cybersecurity
Favicon for wid.cert-bund.de Uptime Kuma Vulnerability Allows Information Disclosure
Priority review Mar 23, 2026 CERT-Bund Security Advisories Data Privacy & Cybersecurity
Favicon for wid.cert-bund.de MinIO Vulnerability Allows Info Disclosure and Security Bypass
Urgent Mar 23, 2026 CERT-Bund Security Advisories Data Privacy & Cybersecurity
Favicon for wid.cert-bund.de PyTorch Vulnerability Allows Local Code Execution
Priority review Mar 23, 2026 CERT-Bund Security Advisories Data Privacy & Cybersecurity

Source

Favicon for www.cert.ssi.gouv.fr
CERT-FR Security Advisories cert.ssi.gouv.fr/avis
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CERT-FR
Published
March 23rd, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
CERTFR-2026-AVI-0336

Who this affects

Applies to
Technology companies
Industry sector
3341 Computer & Electronics Manufacturing
Activity scope
Vulnerability Management Patch Management Network Security
Geographic scope
France FR

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Compliance frameworks
NIST CSF
Topics
Data Security Network Security

Browse Categories

Agriculture & Food Safety 61 Banking & Finance 230 Consumer Protection 40 Courts & Legal 315 Data Privacy & Cybersecurity 63 Defense & National Security 48 Education 20 Energy 104 Environment 83 Government & Legislation 259 Healthcare 131 Housing 15 Immigration 9 Insurance 56 Labor & Employment 111 Legal & Courts 1 Pharma & Drug Safety 97 Securities & Markets 78 Tax 63 Telecom & Technology 47 Trade & Sanctions 124 Transportation 56

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CERT-FR Security Advisories publishes new changes.

Free. Unsubscribe anytime.