EUVD-2025-210094
GHSA-67cg-rrvw-5r8m
Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (qnap) · only source for this CVE.
CVSS VectorVendor: qnap
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
QuTS hero is not affected.
We have already fixed the vulnerability in the following version: QTS 5.2.7.3256 build 20250913 and later
AnalysisAI
High-severity information disclosure flaw in QNAP QTS NAS operating system versions 5.2.0 through 5.2.7.3256 build 20250913 allows remote unauthenticated attackers to obtain sensitive data over the network with low attack complexity, per CVSS v4.0 vector AV:N/AC:L/PR:N/UI:N rating 9.2. The vendor has released a fix, and notably QuTS hero is explicitly unaffected. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
QTS is QNAP's primary NAS (network-attached storage) operating system, widely deployed on consumer and small-business storage appliances and typically exposed to LAN and occasionally WAN management interfaces. The CPE data confirms two QNAP product lines were initially in scope (qts and quts_hero), but the advisory clarifies that only QTS is vulnerable while QuTS hero (the ZFS-based sibling OS) is not, suggesting the defect lives in a QTS-specific component or code path. The vendor tag classifies this as Information Disclosure, but the upstream CWE was not published, so the precise weakness class (e.g., improper authorization, path traversal, missing authentication on an endpoint) cannot be confirmed from available data; the high CVSS v4.0 Confidentiality, Integrity, and Availability impact ratings (VC:H/VI:H/VA:H) are inconsistent with a pure read-only disclosure and hint at a broader compromise primitive than the Information Disclosure tag alone implies.
RemediationAI
Vendor-released patch: upgrade QTS to 5.2.7.3256 build 20250913 or later, as published in QNAP security advisory QSA-25-56 (https://www.qnap.com/en/security-advisory/qsa-25-56); apply via the QTS App Center or the Control Panel > System > Firmware Update workflow. QuTS hero deployments require no action as QNAP confirms they are not affected. No vendor-documented workaround is published, so on appliances that cannot be immediately updated, restrict management-plane exposure by removing the device from direct internet reachability, disabling UPnP/port-forwarding for QTS web ports (default 8080/443), and constraining access to the management UI to a trusted LAN segment or VPN - the trade-off is loss of remote administration and any QNAP cloud-relay features (myQNAPcloud, Remote Link) that depend on the management interface, but this materially shrinks the unauthenticated attack surface until patching is feasible.
More from same product – last 7 days
Cross-site scripting in QNAP QTS and QuTS hero operating systems allows remote attackers to bypass security mechanisms a
Path traversal in QNAP QTS and QuTS hero NAS operating systems exposes arbitrary file contents to attackers who have alr
Stack-based buffer overflow in QNAP QTS and QuTS hero NAS operating systems enables an authenticated administrator to co
External control of assumed-immutable web parameters in QNAP NAS software enables remote unauthenticated attackers to ac
Share
External POC / Exploit Code
Leaving vuln.today