QNAP published a security advisory addressing multiple vulnerabilities in its application.

These flaws could allow cyber attackers to steal confidential information, block system processes, or modify the memory of storage devices.

QNAP Systems is a technology company specializing in network-attached storage (NAS) solutions, video surveillance, network infrastructure, and data management for homes, small and medium-sized businesses (SMBs), and enterprises.

On January 3, a security update was released that resolves two separate issues affecting its version 2.0.x. QNAP has rated the overall severity of these flaws as moderate.

The advisory highlights two specific vulnerabilities stemming from memory management errors.

The first issue, identified as CVE-2025-52871, is an out-of-bounds read vulnerability.

If a remote attacker gains access to a standard user account, they can exploit this vulnerability to read data they should not have access to, potentially exposing confidential information stored in system memory.

 The second issue, CVE-2025-53597, is a buffer overflow vulnerability. This vulnerability is more serious but requires higher privileges; an attacker needs access to an administrator account to exploit it.

Successful exploitation allows the attacker to modify memory or block processes, leading to a denial-of-service (DoS) attack or potential system instability.

QNAP has resolved these issues in License Center version 2.0.36 and later. 

The company strongly recommends that all users of License Center 2.0.x update to the latest version immediately to ensure the security of their data.