Which versions of QNAP QTS are affected by CVE-2025-66273?

A command injection vulnerability in QNAP QTS and QuTS hero NAS systems (CVE-2025-66273) could allow attackers with stolen administrator credentials to execute arbitrary operating system commands on…. A patch is available.

How to fix or mitigate CVE-2025-66273?

Within 24 hours: Inventory all QNAP NAS appliances and document current firmware versions (QTS 5.2.x, QuTS hero 5.2.x, 5.3.x, 6.0.x are vulnerable). Within 7 days: Apply vendor patches released 2026-02-06 through 2026-05-20 for affected versions; review administrator access logs for unauthorized activity; verify patch installation. Within 30 days: Complete enterprise-wide patching, implement privileged access management (PAM) controls for NAS administration, and conduct access review of all administrator credentials.

QNAP QTS CVE-2025-66273

Q: What is the CVSS score of CVE-2025-66273?

CVE-2025-66273 has a CVSS 4.0 base score of 8.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.5%.

EUVD-2025-210099 HIGH

OS Command Injection (CWE-78)

2026-06-10 qnap

GHSA-8g9p-fvw8-cwm4

Qnap Command Injection

8.6

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.6 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 10, 2026 - 06:23 vuln.today

Patch available

Jun 10, 2026 - 05:01 EUVD

CVSS changed

Jun 10, 2026 - 04:22 NVD

8.6 (HIGH)

CVE Published

Jun 10, 2026 - 03:04 nvd

UNKNOWN (no severity yet)

DescriptionNVD

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.

We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later

AnalysisAI

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already obtained administrator credentials to execute arbitrary OS commands on the appliance. Reported by QNAP itself and tracked as EUVD-2025-210099, the issue affects multiple branches across QTS 5.2.x and QuTS hero 5.2.x, 5.3.x, and 6.0.x and is fixed in builds dated 2026-02-06 through 2026-05-20. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

QTS and QuTS hero are QNAP's Linux-based firmware platforms for network-attached storage appliances, exposing a web-based administrative console (typically over HTTP/HTTPS) that wraps numerous shell-backed system management functions. The root cause is CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning an administrator-accessible code path in the management surface passes attacker-controlled input into a shell or exec-style call without adequate sanitization, allowing metacharacters to break out of the intended command. The CPE strings cpe:2.3:a:qnap_systems_inc.:qts and cpe:2.3:a:qnap_systems_inc.:quts_hero confirm both the standard QTS firmware and the ZFS-based QuTS hero variant are in scope.

RemediationAI

Vendor-released patches are available: upgrade QTS to 5.2.9.3410 build 20260214 or later, QuTS hero to h5.2.9.3410 build 20260214 or later on the 5.2 branch, h5.3.4.3500 build 20260520 or later on the 5.3 branch, and h6.0.0.3397 build 20260206 or later on the 6.0 branch, as documented at https://www.qnap.com/en/security-advisory/qsa-26-10. Until the firmware update can be applied, restrict the administrative web UI to trusted management networks via the device firewall or an upstream ACL (which will block legitimate remote admin from outside that network), disable any port forwarding or UPnP that exposes the admin port to the internet, and enforce strong, unique admin passwords plus 2-step verification to make the PR:H precondition harder to satisfy; demoting all non-essential accounts off the administrators group also reduces the blast radius if any admin credential is later compromised.

More from same product – last 7 days

CVE-2026-41539 HIGH This Week

8.7 Jun 09

Cross-site scripting in QNAP QTS and QuTS hero operating systems allows remote attackers to bypass security mechanisms a

CVE-2025-66279 HIGH This Week

8.6 Jun 10

Authenticated command injection in QNAP QTS and QuTS hero allows a remote attacker holding administrator credentials to

CVE-2026-22893 HIGH This Week

8.6 Jun 10

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows attackers with administrator cred

CVE-2026-24719 HIGH This Week

8.6 Jun 10

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows an attacker who already holds an

CVE-2025-66281 MEDIUM This Month

6.9 Jun 10

NULL pointer dereference in QNAP QTS and QuTS hero NAS operating systems allows remote unauthenticated attackers to cras

CVE-2025-66273 vulnerability details – vuln.today

Back

QNAP QTS CVE-2025-66273

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code