EUVD-2025-210095
GHSA-vwqw-r29w-hrg7
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (qnap) · only source for this CVE.
CVSS VectorVendor: qnap
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
QTS, QuTS hero, QuTScloud are not affected.
We have already fixed the vulnerability in the following version:
AnalysisAI
External control of assumed-immutable web parameters in QNAP NAS software enables remote unauthenticated attackers to achieve low-integrity impact by manipulating parameters the application treats as unmodifiable. The vulnerability requires active user interaction to trigger, limiting opportunistic exploitation. QNAP has released a fix per advisory QSA-26-10; no public exploit code or CISA KEV listing has been identified at time of analysis.
Technical ContextAI
CWE-472 (External Control of Assumed-Immutable Web Parameter) describes a class of vulnerability where a web application relies on parameters - such as hidden form fields, cookies, or URL query values - without enforcing their integrity server-side, assuming they cannot be tampered with by a user or intermediary. An attacker who intercepts or crafts requests can alter these values to influence application logic. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:A) indicates the attack is network-reachable, low complexity, requires no privileges, and does not rely on race conditions or special deployment state, but does require active user participation. CPE data lists cpe:2.3:a:qnap_systems_inc.:qts, cpe:2.3:a:qnap_systems_inc.:quts_hero, and cpe:2.3:a:qnap_systems_inc.:qutscloud as the affected software stack. Importantly, the provided description contains a direct contradiction: the vulnerability text states 'QTS, QuTS hero, QuTScloud are not affected,' yet all three are enumerated in the CPE affected product list - this inconsistency must be clarified with the vendor advisory before drawing firm conclusions about scope.
RemediationAI
Apply the vendor-released patch referenced in QNAP Security Advisory QSA-26-10 at https://www.qnap.com/en/security-advisory/qsa-26-10. The exact fixed version was not present in the data provided - the description field appears truncated - so the specific target upgrade version must be obtained directly from the advisory before patching. As a compensating control pending patch application, restrict access to the QNAP management interface to trusted IP ranges via firewall rules, which reduces the network attack surface given the AV:N vector; note this does not eliminate the vulnerability but limits who can deliver a malicious request. Additionally, user awareness of phishing or social engineering attempts can reduce the UI:A exploitation vector, though this is not a technical control. The contradiction in the source data (description vs. CPE scope) means defenders should confirm applicability to their specific product and firmware version via the vendor advisory before investing in remediation effort.
More from same product – last 7 days
High-severity information disclosure flaw in QNAP QTS NAS operating system versions 5.2.0 through 5.2.7.3256 build 20250
Cross-site scripting in QNAP QTS and QuTS hero operating systems allows remote attackers to bypass security mechanisms a
Path traversal in QNAP QTS and QuTS hero NAS operating systems exposes arbitrary file contents to attackers who have alr
Stack-based buffer overflow in QNAP QTS and QuTS hero NAS operating systems enables an authenticated administrator to co
Share
External POC / Exploit Code
Leaving vuln.today