CVE-2025-52869

High

Published: 11 February 2026

Published

11 February 2026

Modified

12 February 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0014 34.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

A buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following…

version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, directly mitigating this buffer overflow by applying the vendor-provided patch to Qsync Central version 5.0.0.4 or later.

SI-10 Information Input Validation good match

prevent

SI-10 enforces information input validation, preventing buffer overflows like CWE-120/122 triggered by attacker-supplied inputs post-authentication.

SI-16 Memory Protection good match

prevent

SI-16 provides memory protection mechanisms such as ASLR and DEP, blocking unauthorized memory modification and process crashes from buffer overflow exploitation.

Security SummaryAI

CVE-2025-52869 is a buffer overflow vulnerability (CWE-120, CWE-122) affecting Qsync Central. Published on 2026-02-11, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and impacts on integrity and availability without requiring user interaction or privilege escalation beyond initial user-level access.

A remote attacker who has gained a user account can exploit the vulnerability to modify memory or crash processes, enabling high-impact integrity violations such as unauthorized data alteration and denial-of-service conditions through process termination.

QNAP's security advisory confirms the vulnerability has been fixed in Qsync Central version 5.0.0.4, released on 2026/01/20, and all later versions. Practitioners should update affected systems immediately and consult the advisory at https://www.qnap.com/en/security-advisory/qsa-26-02 for full details on verification and deployment.

Details

CWE(s): CWE-120 CWE-122

Affected Products

qnap

qsync central

5.0.0.0 — 5.0.0.4

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

The buffer overflow allows remote attackers with user access to crash processes (T1499.004: Endpoint Denial of Service via application exploitation) and perform unauthorized data alteration through memory modification (T1565.001: Stored Data Manipulation), directly matching the described impacts on availability and integrity.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.qnap.com/en/security-advisory/qsa-26-02
Vendor Advisory · security@qnapsecurity.com.tw