Description
A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.

We have already fixed the vulnerability in the following versions:
QTS 5.2.9.3410 build 20260214 and later
QuTS hero h5.2.9.3410 build 20260214 and later
QuTS hero h5.3.4.3500 build 20260520 and later
QuTS hero h6.0.0.3397 build 20260206 and later
Published: 2026-06-10
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A vulnerability in QNAP's QTS and QuTS hero operating systems allows a remote attacker with administrative credentials to perform arbitrary command execution. The flaw is a classic command injection, where the system executes system commands provided by the attacker. Depending on the level of privileges, this can compromise the entire device, exfiltrate data, or disrupt network services.

Affected Systems

QNAP Systems Inc.'s QTS and QuTS hero platforms are affected. All versions before QTS 5.2.9.3410 build 20260214; QuTS hero h5.2.9.3410 build 20260214; QuTS hero h5.3.4.3500 build 20260520; and QuTS hero h6.0.0.3397 build 20260206 are vulnerable.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, and the vulnerability is classified as CWE-78. The EPSS score is not available, so exploitation probability is uncertain, but the attack requires an administrator account—a significant privilege dependency. After compromising or guessing an administrator credential, an attacker can send crafted input that is interpreted as a system command and executed with system privileges. The advisory is not listed in the CISA KEV. Because public exploits are not currently documented, the immediate risk is moderate to high, yet prompt mitigation is recommended to prevent potential abuse.

Generated by OpenCVE AI on June 10, 2026 at 04:24 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later

OpenCVE Recommended Actions

  • Upgrade to the latest firmware: install QTS 5.2.9.3410 build 20260214 or newer, or any QuTS hero release from the specified builds or later.
  • Limit access to administrative interfaces by configuring firewall rules or VPN restrictions so that only trusted IP addresses can reach them.
  • Enforce multi‑factor authentication for all administrator accounts and regularly rotate strong passwords.

Generated by OpenCVE AI on June 10, 2026 at 04:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 03:45:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later
Title QTS, QuTS hero
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-06-10T03:04:39.973Z

Reserved: 2025-11-26T09:25:37.832Z

Link: CVE-2025-66273

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T04:17:12.057

Modified: 2026-06-10T04:17:12.057

Link: CVE-2025-66273

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T04:30:06Z

Weaknesses