Security ID : QSA-26-02
Multiple Vulnerabilities in Qsync Central
Release date : February 12, 2026
CVE identifier : CVE-2025-30269 | CVE-2025-30276 | CVE-2025-47209 | CVE-2025-48722 | CVE-2025-48723 | CVE-2025-48724 | CVE-2025-52868 | CVE-2025-52869 | CVE-2025-52870 | CVE-2025-53598 | CVE-2025-54146 | CVE-2025-54147 | CVE-2025-54148 | CVE-2025-54149 | CVE-2025-54150..
Affected products: Qsync Central 5.0.x
Severity
Moderate
Status
Resolved
Summary
Multiple vulnerabilities have been reported to affect Qsync Central:
- CVE-2025-30269: Use of externally-controlled format string vulnerability
If a remote attacker gains access to a user account, they can then exploit the vulnerability to obtain secret data or modify memory. - CVE-2025-54170: Out-of-bounds read vulnerability
If a remote attacker gains access to a user account, they can then exploit the vulnerability to obtain secret data. - CVE-2025-30276: Out-of-bounds write vulnerability
If a remote attacker gains access to a user account, they can then exploit the vulnerability to modify or corrupt memory. - CVE-2025-47209, CVE-2025-48722, CVE-2025-53598, CVE-2025-54146, CVE-2025-54147, CVE-2025-54148, CVE-2025-58472, CVE-2025-30266: NULL pointer dereference vulnerabilities
If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to launch a denial-of-service (DoS) attack. - CVE-2025-48723, CVE-2025-48724, CVE-2025-52868, CVE-2025-52869, CVE-2025-52870, CVE-2025-57709: Buffer overflow vulnerabilities
If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to modify memory or crash processes. - CVE-2025-54149, CVE-2025-54150, CVE-2025-54151: Uncontrolled resource consumption vulnerabilities
If a local attacker gains access to a user account, they can then exploit the vulnerabilities to launch a denial-of-service (DoS) attack. - CVE-2025-54152: Out-of-range pointer offset vulnerability
If a remote attacker gains access to a user account, they can then exploit the vulnerability to read sensitive portions of memory. - CVE-2025-57708, CVE-2025-57710, CVE-2025-57711, CVE-2025-58471: Allocation of resources without limits or throttling vulnerabilities
If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to prevent other systems, applications, or processes from accessing the same type of resource. - CVE-2025-58467, CVE-2025-58470, CVE-2025-68406: Relative path traversal vulnerabilities
If a remote attacker gains access to a user account, they can then exploit the vulnerabilities to read the contents of unexpected files or system data.
We have already fixed the vulnerabilities in the following version:
| Affected Product | Fixed Version |
| Qsync Central 5.0.x | Qsync Central 5.0.0.4 (2026/01/20) and later |
Recommendation
To fix the vulnerabilities, we recommend updating Qsync Central to the latest version.
Updating Qsync Central
- Log on to QTS or QuTS hero as an administrator.
- Open App Center and then click
.
A search box appears. - Type "Qsync Central" and then press ENTER.
Qsync Central appears in the search results. - Click Update.
A confirmation message appears.
Note: The Update button is not available if your Qsync Central is already up to date. - Click OK.
The system updates the application.
Attachment
- CVE-2025-30269.json
- CVE-2025-30276.json
- CVE-2025-47209.json
- CVE-2025-48722.json
- CVE-2025-48723.json
- CVE-2025-48724.json
- CVE-2025-52868.json
- CVE-2025-52869.json
- CVE-2025-52870.json
- CVE-2025-53598.json
- CVE-2025-54146.json
- CVE-2025-54147.json
- CVE-2025-54148.json
- CVE-2025-54149.json
- CVE-2025-54150.json
- CVE-2025-54151.json
- CVE-2025-54152.json
- CVE-2025-54170.json
- CVE-2025-57708.json
- CVE-2025-57709.json
- CVE-2025-57710.json
- CVE-2025-57711.json
- CVE-2025-58467.json
- CVE-2025-58470.json
- CVE-2025-58471.json
- CVE-2025-58472.json
- CVE-2025-68406.json
- CVE-2025-30266.json
Acknowledgements:
coral
Searat and izut
Revision History:
V1.0 (February 12, 2026) - Published
