Which versions of QNAP QTS are affected by EUVD-2025-210100?

QNAP QTS and QuTS hero NAS systems contain a remote command injection vulnerability (CVSS 8.6) exploitable only by authenticated administrators, with no confirmed public exploit activity.. A patch is available.

How to fix or mitigate EUVD-2025-210100?

Within 24 hours: Catalog all QNAP QTS and QuTS hero systems and document their current firmware versions. Within 7 days: Apply vendor-released security patches to every affected appliance as provided by QNAP. Within 30 days: Confirm patch application across the environment, audit administrator account activity for unauthorized changes, and enforce multi-factor authentication on administrative access.

QNAP QTS EUVD-2025-210100

Q: What is the CVSS score of EUVD-2025-210100?

EUVD-2025-210100 has a CVSS 4.0 base score of 8.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.5%.

| CVE-2025-66279 HIGH

OS Command Injection (CWE-78)

2026-06-10 qnap

GHSA-vpcm-92g9-vgwx

Qnap Command Injection

8.6

CVSS 4.0 · NVD

Severity by source

Vendor (qnap) PRIMARY

HIGH

qualitative

NVD

8.6 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (qnap).

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 10, 2026 - 06:22 vuln.today

Patch available

Jun 10, 2026 - 05:01 EUVD

CVSS changed

Jun 10, 2026 - 04:22 NVD

8.6 (HIGH)

CVE Published

Jun 10, 2026 - 03:05 nvd

UNKNOWN (no severity yet)

DescriptionNVD

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.

We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later

AnalysisAI

Authenticated command injection in QNAP QTS and QuTS hero allows a remote attacker holding administrator credentials to execute arbitrary OS commands on the NAS appliance. The CVSS 4.0 base score of 8.6 reflects high impact across confidentiality, integrity, and availability, though exploitation requires high privileges (PR:H). No public exploit has been identified at time of analysis, and the issue is not listed in CISA KEV; QNAP has released fixed builds across affected QTS and QuTS hero branches.

Technical ContextAI

QTS and QuTS hero are QNAP's NAS operating systems used on consumer and SMB storage appliances; QuTS hero is the ZFS-based variant. The flaw maps to CWE-78 (Improper Neutralization of Special Elements used in an OS Command), meaning an administrative web/API interface passes attacker-controlled input into a shell or process invocation without adequate sanitization. CPE data identifies the affected products as cpe:2.3:a:qnap_systems_inc.:qts and cpe:2.3:a:qnap_systems_inc.:quts_hero across multiple branches (5.2, 5.3, and 6.0 lines of QuTS hero, plus QTS 5.2). Because NAS devices typically expose management interfaces over HTTP(S), successful injection runs in the context of the administrative service, which on QNAP appliances is typically high-privileged.

RemediationAI

Vendor-released patches are available: upgrade QTS to 5.2.9.3410 build 20260214 or later, QuTS hero h5.2 to h5.2.9.3410 build 20260214 or later, QuTS hero h5.3 to h5.3.4.3500 build 20260520 or later, and the QuTS hero 6.0 line to h6.0.0.3397 build 20260206 or later, following QNAP advisory https://www.qnap.com/en/security-advisory/qsa-26-10. Until firmware is applied, restrict reachability of the administrative web/API interface by binding it to a management VLAN or VPN and blocking inbound WAN access (trade-off: remote administration via myQNAPcloud or port-forwarded HTTPS will break), enforce strong unique passwords plus 2-step verification on every administrator account to make the PR:H requirement materially harder to satisfy, and rotate admin credentials if any exposure to untrusted networks has occurred. Disable or remove unused administrator accounts to shrink the attack surface, and review system event logs for unexpected admin logins or shell command execution as a detective control.

More from same product – last 7 days

CVE-2026-41539 HIGH This Week

8.7 Jun 09

Cross-site scripting in QNAP QTS and QuTS hero operating systems allows remote attackers to bypass security mechanisms a

CVE-2025-66273 HIGH This Week

8.6 Jun 10

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already

CVE-2026-22893 HIGH This Week

8.6 Jun 10

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows attackers with administrator cred

CVE-2026-24719 HIGH This Week

8.6 Jun 10

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows an attacker who already holds an

CVE-2025-66281 MEDIUM This Month

6.9 Jun 10

NULL pointer dereference in QNAP QTS and QuTS hero NAS operating systems allows remote unauthenticated attackers to cras

EUVD-2025-210100 vulnerability details – vuln.today

Back

QNAP QTS EUVD-2025-210100

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code