89
CVEs
1
Critical
21
High
0
KEV
0
PoC
11
Unpatched C/H
42.7%
Patch Rate
0.1%
Avg EPSS
Severity Breakdown
CRITICAL
1
HIGH
21
MEDIUM
62
LOW
5
Monthly CVE Trend
Affected Products (6)
Top Risky CVEs
| CVE | Summary | Severity | CVSS | EPSS | Priority | Signals |
|---|---|---|---|---|---|---|
| CVE-2025-66277 | Symlink following vulnerability in multiple QNAP NAS operating system versions allows remote attackers to exploit link resolution for unauthorized access. | CRITICAL | 9.8 | 0.1% | 49 |
No patch
|
| CVE-2025-22481 | Command injection vulnerability affecting QNAP NAS operating systems (QTS and QuTS hero) that allows authenticated remote attackers to execute arbitrary commands with high severity (CVSS 8.8). The vulnerability requires valid user credentials but no user interaction, making it exploitable by compromised accounts or insider threats. QNAP has released patches as of March 21, 2025, and exploitation details are limited in public disclosures at this time. | HIGH | 8.8 | 0.2% | 44 |
|
| CVE-2025-29883 | CVE-2025-29883 is an improper certificate validation vulnerability affecting Synology File Station 5 that allows authenticated remote attackers to compromise system security through man-in-the-middle attacks or credential harvesting. The vulnerability requires valid user credentials (PR:L) but can result in complete system compromise with high impact to confidentiality, integrity, and availability (CVSS 8.8). Patched versions are available for File Station 5 5.5.6.4791 and later. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2025-30279 | CVE-2025-30279 is an improper certificate validation vulnerability in QNAP File Station 5 that allows authenticated remote attackers to compromise system confidentiality, integrity, and availability. Affected versions are below 5.5.6.4847; the vulnerability requires valid user credentials but no user interaction, making it a significant post-authentication attack vector with a CVSS score of 8.8 indicating high severity. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2025-29892 | SQL injection vulnerability in Qsync Central that allows authenticated remote attackers to execute arbitrary code or commands with high impact on confidentiality, integrity, and availability. The vulnerability affects all versions prior to Qsync Central 4.5.0.6 (released 2025/03/20), and while no active KEV or public PoC is explicitly referenced in the provided data, the high CVSS score of 8.8 combined with low attack complexity and low privilege requirements indicates this is a serious, readily exploitable vulnerability that should be prioritized for patching. | HIGH | 8.8 | 0.1% | 44 |
|
| CVE-2025-52863 | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH] | HIGH | 8.1 | 0.1% | 41 |
No patch
|
| CVE-2025-52864 | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH] | HIGH | 8.1 | 0.1% | 41 |
No patch
|
| CVE-2025-52872 | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH] | HIGH | 8.1 | 0.1% | 41 |
No patch
|
| CVE-2025-48725 | A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. [CVSS 8.1 HIGH] | HIGH | 8.1 | 0.1% | 41 |
No patch
|
| CVE-2025-22482 | Format string vulnerability in QNAP Qsync Central that allows authenticated remote attackers to read sensitive data or modify memory without user interaction. The vulnerability affects all versions prior to Qsync Central 4.5.0.6 (released March 20, 2025), with a CVSS score of 8.1 indicating high severity. While no public exploit or KEV status is currently documented, the low attack complexity and requirement for only low-privilege user access make this a significant risk for organizations running vulnerable versions. | HIGH | 8.1 | 0.1% | 41 |
|
| CVE-2024-14026 | A command injection vulnerability has been reported to affect several QNAP operating system versions. If an attacker gains local network access who have also gained a user account, they can then exploit the vulnerability to execute arbitrary commands. [CVSS 7.8 HIGH] | HIGH | 7.8 | 0.2% | 39 |
No patch
|
| CVE-2025-22490 | NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. The vulnerability affects File Station 5 versions prior to 5.5.6.4847, and while it requires valid user credentials (PR:N indicates no privileges required once authenticated), it has a CVSS score of 7.5 reflecting high availability impact. No indication of active exploitation in the wild or public POC is evident from the provided data. | HIGH | 7.5 | 0.1% | 38 |
|
| CVE-2025-29873 | NULL pointer dereference vulnerability affecting QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. The vulnerability has a CVSS score of 7.5 (High) due to its network accessibility and high availability impact, though it requires valid user credentials to exploit. QNAP has released patched versions (5.5.6.4847 and later) to remediate this issue. | HIGH | 7.5 | 0.1% | 38 |
|
| CVE-2025-29876 | NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. While the CVSS score of 7.5 is elevated, the requirement for a valid user account (PR:N is misleading in vector; effective privilege requirement exists) and lack of data confidentiality/integrity impact limit real-world severity. The vulnerability affects File Station 5 versions prior to 5.5.6.4847, and the vendor has released patched versions. | HIGH | 7.5 | 0.1% | 38 |
|
| CVE-2025-29877 | NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by causing the application to crash. While the CVSS 7.5 score reflects the severity of availability impact, the vulnerability requires valid user credentials to exploit, making it primarily a risk for organizations with compromised or malicious insider accounts. The vendor has released patches in version 5.5.6.4847 and later. | HIGH | 7.5 | 0.1% | 38 |
|