CVE-2025-57709
Published: 11 February 2026
Summary
CVE-2025-57709 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Qnap Qsync Central. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 mandates timely flaw remediation, directly addressing this buffer overflow by applying the vendor patch in Qsync Central 5.0.0.4 and later.
SI-10 requires information input validation to enforce bounds checking and prevent buffer overflows like CWE-122 and CWE-787.
SI-16 implements memory protections such as stack guards and non-executable memory to block exploitation of buffer overflows leading to memory modification or crashes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow enables remote authenticated memory modification (priv esc via T1068) or process crashes (DoS via T1499.004) on a network-accessible service (T1190).
NVD Description
A buffer overflow vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following…
more
version: Qsync Central 5.0.0.4 ( 2026/01/20 ) and later
Deeper analysisAI
CVE-2025-57709 is a buffer overflow vulnerability (CWE-122, CWE-787) affecting Qsync Central. The issue enables memory modification or process crashes when exploited. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H) and was published on 2026-02-11T13:15:55.897.
A remote attacker with a user account (PR:L) can exploit the vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation allows modification of memory or crashing of processes, resulting in high integrity (I:H) and availability (A:H) impacts but no confidentiality loss (C:N).
QNAP's security advisory states that the vulnerability has been fixed in Qsync Central version 5.0.0.4 (released 2026/01/20) and later versions. Additional details are available at https://www.qnap.com/en/security-advisory/qsa-26-02.
Details
- CWE(s)