CVE-2025-44014
Published: 03 October 2025
Description
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Security Summary
CVE-2025-44014 is an out-of-bounds write vulnerability (CWE-787) affecting Qsync Central. A remote attacker who gains a user account can exploit the vulnerability to modify or corrupt memory. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-10-03.
A remote attacker with low privileges, such as a compromised user account, can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables the attacker to modify or corrupt memory, resulting in high impacts to confidentiality, integrity, and availability.
QNAP has fixed the vulnerability in Qsync Central version 5.0.0.1, released on 2025/07/09, and later versions. Administrators should update affected systems immediately. Additional details are available in QNAP security advisory QSA-25-34 at https://www.qnap.com/en/security-advisory/qsa-25-34.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Out-of-bounds write enables remote low-privileged memory corruption/modification in Qsync Central service, directly facilitating exploitation for privilege escalation (T1068) and exploitation of remote services (T1210).