EUVD-2025-210082
GHSA-prxr-642c-c266
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (qnap) · only source for this CVE.
CVSS VectorVendor: qnap
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes.
We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later
AnalysisAI
Stack-based buffer overflow in QNAP QTS and QuTS hero NAS operating systems enables an authenticated administrator to corrupt stack memory or crash processes via a network-accessible attack path. Affected versions span QTS 5.2.x and multiple QuTS hero release trains (h5.2.x, h5.3.x, h6.0.x), with vendor-released patches dated February-May 2026. No public exploit code and no CISA KEV listing have been identified at time of analysis, and the mandatory high-privilege prerequisite substantially limits realistic attack surface.
Technical ContextAI
CWE-121 (Stack-based Buffer Overflow) describes a condition where attacker-controlled data written to a stack-allocated buffer exceeds its bounds, potentially overwriting return addresses, saved registers, or adjacent local variables. QNAP QTS and QuTS hero are the proprietary Linux-based operating systems powering QNAP network-attached storage appliances. CPE strings cpe:2.3:a:qnap_systems_inc.:qts and cpe:2.3:a:qnap_systems_inc.:quts_hero confirm both OS product lines as affected. The vulnerability likely resides in a network-exposed service or API endpoint within the OS, given the AV:N (network) attack vector, but the specific component is not identified in available data. QuTS hero is QNAP's ZFS-based enterprise variant, while QTS is the standard NAS OS; both share the underlying vulnerable code path based on CPE coverage.
RemediationAI
Upgrade to a vendor-patched release: QTS 5.2.9.3410 build 20260214 or later; QuTS hero h5.2.9.3410 build 20260214 or later; QuTS hero h5.3.4.3500 build 20260520 or later; or QuTS hero h6.0.0.3397 build 20260206 or later. These are the exact fixed builds confirmed by QNAP advisory QSA-26-10 (https://www.qnap.com/en/security-advisory/qsa-26-10). As a compensating control before patching, restrict administrator account access by enforcing strong unique passwords, enabling multi-factor authentication for the QNAP admin interface, and blocking direct internet exposure of the NAS management UI at the network perimeter - this directly addresses the PR:H prerequisite by reducing the likelihood of admin credential compromise. Note that blocking internet access does not eliminate risk from insider threats or already-compromised internal hosts with admin access.
More from same product – last 7 days
High-severity information disclosure flaw in QNAP QTS NAS operating system versions 5.2.0 through 5.2.7.3256 build 20250
Cross-site scripting in QNAP QTS and QuTS hero operating systems allows remote attackers to bypass security mechanisms a
Path traversal in QNAP QTS and QuTS hero NAS operating systems exposes arbitrary file contents to attackers who have alr
External control of assumed-immutable web parameters in QNAP NAS software enables remote unauthenticated attackers to ac
Share
External POC / Exploit Code
Leaving vuln.today