Description
A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes.

We have already fixed the vulnerability in the following versions:
QTS 5.2.9.3410 build 20260214 and later
QuTS hero h5.2.9.3410 build 20260214 and later
QuTS hero h5.3.4.3500 build 20260520 and later
QuTS hero h6.0.0.3397 build 20260206 and later
Published: 2026-06-09
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a stack-based buffer overflow identified as CWE‑121. It allows a remote attacker who has already gained administrative privileges to corrupt memory or cause a process crash. The impact includes potential denial of service and loss of data integrity on the affected QNAP device.

Affected Systems

The flaw affects QNAP Systems Inc. firmware products QTS and QuTS hero running older firmware versions. The specific fixed releases are QTS 5.2.9.3410 build 20260214 and later, QuTS hero h5.2.9.3410 build 20260214 and later, QuTS hero h5.3.4.3500 build 20260520 and later, and QuTS hero h6.0.0.3397 build 20260206 and newer.

Risk and Exploitability

The CVSS score of 5.1 places the flaw in the moderate severity range. The EPSS score is not available, so the exploitation frequency cannot be precisely quantified. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote network traffic that reaches an administrator interface; the attacker needs administrative privileges to trigger the overflow, after which memory corruption or a crash could occur. Because it requires privileged access, the risk is moderate but still significant for compromised systems.

Generated by OpenCVE AI on June 9, 2026 at 08:52 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later

OpenCVE Recommended Actions

  • Upgrade to the latest firmware releases that contain the fix: QTS 5.2.9.3410 build 20260214 or newer, QuTS hero h5.2.9.3410 build 20260214 or newer, QuTS hero h5.3.4.3500 build 20260520 or newer, or QuTS hero h6.0.0.3397 build 20260206 or newer.
  • If an immediate firmware upgrade is not possible, limit administrator access to internal networks and apply firewall rules to block external connections to the management interfaces.
  • Remove or disable any unnecessary administrative accounts that are exposed to remote networks, and enforce strict password policies.
  • Monitor system logs for signs of abnormal memory corruption or repeated process crashes that could indicate exploitation attempts.

Generated by OpenCVE AI on June 9, 2026 at 08:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems qts
Qnap Systems quts Hero
Vendors & Products Qnap Systems
Qnap Systems qts
Qnap Systems quts Hero

Tue, 09 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later
Title QTS, QuTS hero
Weaknesses CWE-121
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Qnap Systems Qts Quts Hero
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-06-09T13:11:28.903Z

Reserved: 2025-10-24T02:43:49.269Z

Link: CVE-2025-62858

cve-icon Vulnrichment

Updated: 2026-06-09T13:11:25.494Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-09T08:16:26.503

Modified: 2026-06-09T13:49:39.993

Link: CVE-2025-62858

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-09T09:00:08Z

Weaknesses
  • CWE-121

    Stack-based Buffer Overflow