Which versions of QNAP QTS are affected by EUVD-2025-210094?

Critical vulnerability in QNAP QTS NAS systems (versions 5.2.0-5.2.7.3256) enables remote, unauthenticated attackers to extract sensitive data with minimal technical effort and no user interaction.. A patch is available.

How to fix or mitigate EUVD-2025-210094?

Within 24 hours: Identify all QNAP QTS systems and confirm versions in use; verify QuTS hero deployments are not affected. Within 7 days: Apply vendor-released patch to all affected QTS versions 5.2.0 through 5.2.7.3256 and validate patch installation. Within 30 days: Confirm all systems are running patched builds, review network segmentation to restrict NAS access from untrusted networks, and audit access logs for suspicious data retrieval activity.

QNAP QTS EUVD-2025-210094

Q: What is the CVSS score of EUVD-2025-210094?

EUVD-2025-210094 has a CVSS 4.0 base score of 9.2 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2025-66276 CRITICAL

2026-06-10 qnap

GHSA-67cg-rrvw-5r8m

Information Disclosure Qts Quts Hero

9.2

CVSS 4.0 · Vendor: qnap

Severity by source

Vendor (qnap) PRIMARY

9.2 CRITICAL

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (qnap) · only source for this CVE.

CVSS VectorVendor: qnap

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 10, 2026 - 04:50 vuln.today

Patch available

Jun 10, 2026 - 04:16 EUVD

CVSS changed

Jun 10, 2026 - 03:22 NVD

9.2 (CRITICAL)

CVE Published

Jun 10, 2026 - 01:37 nvd

UNKNOWN (no severity yet)

DescriptionCVE.org

QuTS hero is not affected.

We have already fixed the vulnerability in the following version: QTS 5.2.7.3256 build 20250913 and later

AnalysisAI

High-severity information disclosure flaw in QNAP QTS NAS operating system versions 5.2.0 through 5.2.7.3256 build 20250913 allows remote unauthenticated attackers to obtain sensitive data over the network with low attack complexity, per CVSS v4.0 vector AV:N/AC:L/PR:N/UI:N rating 9.2. The vendor has released a fix, and notably QuTS hero is explicitly unaffected. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

QTS is QNAP's primary NAS (network-attached storage) operating system, widely deployed on consumer and small-business storage appliances and typically exposed to LAN and occasionally WAN management interfaces. The CPE data confirms two QNAP product lines were initially in scope (qts and quts_hero), but the advisory clarifies that only QTS is vulnerable while QuTS hero (the ZFS-based sibling OS) is not, suggesting the defect lives in a QTS-specific component or code path. The vendor tag classifies this as Information Disclosure, but the upstream CWE was not published, so the precise weakness class (e.g., improper authorization, path traversal, missing authentication on an endpoint) cannot be confirmed from available data; the high CVSS v4.0 Confidentiality, Integrity, and Availability impact ratings (VC:H/VI:H/VA:H) are inconsistent with a pure read-only disclosure and hint at a broader compromise primitive than the Information Disclosure tag alone implies.

RemediationAI

Vendor-released patch: upgrade QTS to 5.2.7.3256 build 20250913 or later, as published in QNAP security advisory QSA-25-56 (https://www.qnap.com/en/security-advisory/qsa-25-56); apply via the QTS App Center or the Control Panel > System > Firmware Update workflow. QuTS hero deployments require no action as QNAP confirms they are not affected. No vendor-documented workaround is published, so on appliances that cannot be immediately updated, restrict management-plane exposure by removing the device from direct internet reachability, disabling UPnP/port-forwarding for QTS web ports (default 8080/443), and constraining access to the management UI to a trusted LAN segment or VPN - the trade-off is loss of remote administration and any QNAP cloud-relay features (myQNAPcloud, Remote Link) that depend on the management interface, but this materially shrinks the unauthenticated attack surface until patching is feasible.