Cyber Resilience

CVE-2025-30269

Low

Published: 11 February 2026

Published
11 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v4 0.6 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0028 19.6th percentile
Risk Priority 15 floored blend · peak EPSS

Summary

CVE-2025-30269 is a low-severity Use of Externally-Controlled Format String (CWE-134) vulnerability in Qnap Qsync Central. Its CVSS base score is 0.6 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-30269 is a use of externally-controlled format string vulnerability (CWE-134) affecting Qsync Central. Published on 2026-02-11, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality and integrity.

A remote attacker who has gained a user account on the affected system can exploit the vulnerability to obtain secret data or modify memory. The low privilege requirement (PR:L) means legitimate user credentials suffice for exploitation, enabling unauthorized data disclosure or memory corruption without user interaction.

QNAP has fixed the vulnerability in Qsync Central version 5.0.0.4, released on 2026/01/20, and later versions. Additional mitigation details are available in the security advisory at https://www.qnap.com/en/security-advisory/qsa-26-02.

EU & UK References

Vulnerability details

A use of externally-controlled format string vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the…

more

vulnerability in the following version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Why these techniques?

Format string flaw in network-accessible Qsync Central service directly enables remote exploitation of a public-facing app (T1190) to read arbitrary memory/secret data, mapping to credential access via exploitation (T1212).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-29894Same product: Qnap Qsync Central
CVE-2025-30276Same product: Qnap Qsync Central
CVE-2025-52870Same product: Qnap Qsync Central
CVE-2025-54153Same product: Qnap Qsync Central
CVE-2025-48724Same product: Qnap Qsync Central
CVE-2025-30277Same product: Qnap Qsync Central
CVE-2025-53595Same product: Qnap Qsync Central
CVE-2025-48723Same product: Qnap Qsync Central
CVE-2025-30278Same product: Qnap Qsync Central
CVE-2025-57709Same product: Qnap Qsync Central

Affected Assets

qnap
qsync central
5.0.0.0 — 5.0.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring identification, reporting, and timely patching of the format string vulnerability as provided by QNAP in version 5.0.0.4.

prevent

Prevents exploitation of the externally-controlled format string vulnerability by validating all information inputs, including those used in formatting operations.

prevent

Mitigates memory modification from format string attacks through safeguards like non-executable memory and address space randomization, though less effective against information disclosure.

References