CVE-2025-48723
Published: 11 February 2026
Summary
CVE-2025-48723 is a high-severity Classic Buffer Overflow (CWE-120) vulnerability in Qnap Qsync Central. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the buffer overflow by requiring timely remediation through patching to the fixed Qsync Central version 5.0.0.4 or later.
Implements memory protection mechanisms like ASLR, DEP, and stack canaries to prevent exploitation of buffer overflows for memory modification or process crashes.
Enforces input validation to reject oversized or malformed inputs that trigger the buffer overflow in Qsync Central.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow enables remote authenticated exploitation of Qsync Central service for memory modification or process crash (DoS).
NVD Description
A buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following…
more
version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later
Deeper analysisAI
CVE-2025-48723 is a buffer overflow vulnerability (CWE-120, CWE-122) affecting Qsync Central. Published on 2026-02-11, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, and significant impacts on integrity and availability without requiring user interaction.
A remote attacker who has obtained a user account can exploit the vulnerability to modify memory or crash processes on the affected system. This requires low privileges (PR:L) but allows exploitation over the network with no additional user interaction, potentially disrupting service availability or enabling unauthorized data manipulation.
QNAP's security advisory confirms the vulnerability has been fixed in Qsync Central version 5.0.0.4, released on 2026/01/20, and all later versions. Practitioners should update to a patched version and review the advisory at https://www.qnap.com/en/security-advisory/qsa-26-02 for full mitigation details.
Details
- CWE(s)