CVE-2025-30269
Published: 11 February 2026
Summary
CVE-2025-30269 is a high-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Qnap Qsync Central. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring identification, reporting, and timely patching of the format string vulnerability as provided by QNAP in version 5.0.0.4.
Prevents exploitation of the externally-controlled format string vulnerability by validating all information inputs, including those used in formatting operations.
Mitigates memory modification from format string attacks through safeguards like non-executable memory and address space randomization, though less effective against information disclosure.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Format string flaw in network-accessible Qsync Central service directly enables remote exploitation of a public-facing app (T1190) to read arbitrary memory/secret data, mapping to credential access via exploitation (T1212).
NVD Description
A use of externally-controlled format string vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the…
more
vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later
Deeper analysisAI
CVE-2025-30269 is a use of externally-controlled format string vulnerability (CWE-134) affecting Qsync Central. Published on 2026-02-11, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.
A remote attacker who has gained a user account on the affected system can exploit the vulnerability to obtain secret data or modify memory. The low privilege requirement (PR:L) means legitimate user credentials suffice for exploitation, enabling unauthorized data disclosure or memory corruption without user interaction.
QNAP has fixed the vulnerability in Qsync Central version 5.0.0.4, released on 2026/01/20, and later versions. Additional mitigation details are available in the security advisory at https://www.qnap.com/en/security-advisory/qsa-26-02.
Details
- CWE(s)