Alert GCSA-26001 - Vulnerabilita' multiple in NAS QNAP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
******************************************************************
Alert ID: GCSA-26001
Data: 05 Gennaio 2026
Titolo: Vulnerabilita' multiple in prodotti NAS QNAP
******************************************************************
:: Descrizione del problema
Sono state identificate vulnerabilita' multiple nei NAS QNAP. di cui due
con gravita' "critica" e una con gravita' "alta, che potrebbero consentire
ad un attaccante remoto di eseguire codice arbitrario e manipolare dati
su un sistema che ne sia affetto
:: Software interessato
Qfinder Pro (Mac) 7.13.x, versioni precedenti alla 7.13.0
Qsync (Mac) 5.1.x, versioni precedenti alla 5.1.5
QVPN Device Client (Mac) 2.2.x, versioni precedenti alla 2.2.8
Qfiling 3.13.x, versioni precedenti alla 3.13.1
MARS (Multi-Application Recovery Service) 1.2.x, versioni precedenti alla 1.2.1.1686
:: Impatto
Remote Code Execution
Information Disclosure
Data Manipulation
:: Soluzioni
Aggiornare i sistemi alle ultime versioni rilasciate:
https://www.qnap.com/en/security-advisory/qsa-25-53
https://www.qnap.com/en/security-advisory/qsa-25-54
https://www.qnap.com/en/security-advisory/qsa-25-55
:: Riferimenti
QNAP Security Advisory:
https://www.qnap.com/en/security-advisories
https://www.qnap.com/en/security-advisory/qsa-25-53
https://www.qnap.com/en/security-advisory/qsa-25-54
https://www.qnap.com/en/security-advisory/qsa-25-55
CSIRT Italia
https://www.acn.gov.it/portale/w/vulnerabilita-in-prodotti-qnap-5
Mitre CVE:
https://www.cve.org/CVERecord?id=CVE-2025-44013
https://www.cve.org/CVERecord?id=CVE-2025-52426
https://www.cve.org/CVERecord?id=CVE-2025-52430
https://www.cve.org/CVERecord?id=CVE-2025-53594
https://www.cve.org/CVERecord?id=CVE-2025-59384
https://www.cve.org/CVERecord?id=CVE-2025-59387
https://www.cve.org/CVERecord?id=CVE-2025-62857
GARR CERT Security Alert - subscribe/unsubscribe:
https://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iF0EAREIAB0WIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCaVvh4AAKCRDBnEyTZRJg
QmaZAKC9HRZO0EvCFBvKBBpz3AjVBoQ3SACg2aaewTr5ft1R9N6W9DVgwqeBB8I=
=6g65
-----END PGP SIGNATURE-----
Hash: SHA256
******************************************************************
Alert ID: GCSA-26001
Data: 05 Gennaio 2026
Titolo: Vulnerabilita' multiple in prodotti NAS QNAP
******************************************************************
:: Descrizione del problema
Sono state identificate vulnerabilita' multiple nei NAS QNAP. di cui due
con gravita' "critica" e una con gravita' "alta, che potrebbero consentire
ad un attaccante remoto di eseguire codice arbitrario e manipolare dati
su un sistema che ne sia affetto
:: Software interessato
Qfinder Pro (Mac) 7.13.x, versioni precedenti alla 7.13.0
Qsync (Mac) 5.1.x, versioni precedenti alla 5.1.5
QVPN Device Client (Mac) 2.2.x, versioni precedenti alla 2.2.8
Qfiling 3.13.x, versioni precedenti alla 3.13.1
MARS (Multi-Application Recovery Service) 1.2.x, versioni precedenti alla 1.2.1.1686
:: Impatto
Remote Code Execution
Information Disclosure
Data Manipulation
:: Soluzioni
Aggiornare i sistemi alle ultime versioni rilasciate:
https://www.qnap.com/en/security-advisory/qsa-25-53
https://www.qnap.com/en/security-advisory/qsa-25-54
https://www.qnap.com/en/security-advisory/qsa-25-55
:: Riferimenti
QNAP Security Advisory:
https://www.qnap.com/en/security-advisories
https://www.qnap.com/en/security-advisory/qsa-25-53
https://www.qnap.com/en/security-advisory/qsa-25-54
https://www.qnap.com/en/security-advisory/qsa-25-55
CSIRT Italia
https://www.acn.gov.it/portale/w/vulnerabilita-in-prodotti-qnap-5
Mitre CVE:
https://www.cve.org/CVERecord?id=CVE-2025-44013
https://www.cve.org/CVERecord?id=CVE-2025-52426
https://www.cve.org/CVERecord?id=CVE-2025-52430
https://www.cve.org/CVERecord?id=CVE-2025-53594
https://www.cve.org/CVERecord?id=CVE-2025-59384
https://www.cve.org/CVERecord?id=CVE-2025-59387
https://www.cve.org/CVERecord?id=CVE-2025-62857
GARR CERT Security Alert - subscribe/unsubscribe:
https://www.cert.garr.it/alert/ricevi-gli-alert-di-cert
-----BEGIN PGP SIGNATURE-----
iF0EAREIAB0WIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCaVvh4AAKCRDBnEyTZRJg
QmaZAKC9HRZO0EvCFBvKBBpz3AjVBoQ3SACg2aaewTr5ft1R9N6W9DVgwqeBB8I=
=6g65
-----END PGP SIGNATURE-----