Description
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.

We have already fixed the vulnerability in the following versions:
QuTS hero h5.2.9.3410 build 20260214 and later
QuTS hero h5.3.4.3500 build 20260520 and later
QuTS hero h6.0.0.3459 build 20260409 and later
Published: 2026-06-10
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A NULL pointer dereference flaw in QNAP Systems Inc.'s QuTS hero firmware allows an attacker with administrative privileges to trigger a denial of service by crashing the system. The weakness is identified as CWE‑476 and results in loss of availability for all users of the affected device. The flaw requires remote exploitation only when the attacker has already compromised administrative credentials, indicating that protecting admin accounts is critical.

Affected Systems

The vulnerability affects all earlier releases of QuTS hero firmware prior to the fixed versions listed in the advisory. QNAP recommends upgrading to at least h5.2.9.3410 build 20260214, h5.3.4.3500 build 20260520, or h6.0.0.3459 build 20260409, and any later build thereafter. The affected product is the QuTS hero operating system from QNAP Systems Inc.

Risk and Exploitability

The CVSS score of 5.1 places this issue in the medium severity range, and the EPSS score is not available, suggesting limited public exploitation data. Because the flaw can be triggered only after an attacker has obtained administrative rights, it does not pose a broad threat to all users, but if admin credentials are compromised it can be abused to disrupt service. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed operational incidents yet.

Generated by OpenCVE AI on June 10, 2026 at 04:25 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following versions: QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later

OpenCVE Recommended Actions

  • Upgrade to the latest patched firmware version from QNAP, ensuring the device runs at least h5.2.9.3410 build 20260214, h5.3.4.3500 build 20260520, or h6.0.0.3459 build 20260409 or newer.
  • Restrict administrative access to the QuTS hero system and enforce least‑privilege principles until the firmware update is applied.
  • Perform a system backup before installing the firmware update to allow rapid recovery if update issues arise.

Generated by OpenCVE AI on June 10, 2026 at 04:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems quts Hero
Vendors & Products Qnap Systems
Qnap Systems quts Hero

Wed, 10 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3459 build 20260409 and later
Title QuTS hero
Weaknesses CWE-476
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Qnap Systems Quts Hero
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-06-10T02:34:24.331Z

Reserved: 2025-10-24T02:43:49.268Z

Link: CVE-2025-62850

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T04:17:07.620

Modified: 2026-06-10T04:17:07.620

Link: CVE-2025-62850

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T04:30:06Z

Weaknesses