Recently there are two important incident reports, and here is our quick updates.
CVE-2026-32746 telnetd vulnerability
A vulnerability in specific telnetd implementations. Attackers send crafted payloads during initialization phase to trigger a memory buffer overflow, allowing arbitrary command execution with system privileges.
The telnet service on QNAP NAS, QVP, and TVR products is disabled by default. And our systems use a different terminal service package that does not contain the defective function code.
Firmware updates are not required for this issue.
The Axios npm package poisoning
Software supply chain attack. Attackers embedded a backdoor in versions 1.14.1 and 0.30.4. This code steals Node.js environment variables and transmits host information to external servers.
Some QNAP software projects use Axios. However, our development process pins package versions and locks the Software Bill of Materials (SBOM). Current software releases do not contain the infected package versions.
In sum, existing QNAP products are unaffected by these two issues. Device environments and network configurations require no changes.