PatchSiren cyber security CVE debrief

CVE-2025-66273 QNAP Systems Inc. CVE debrief

CVE-2025-66273 is a high-severity command injection vulnerability affecting several QNAP operating system versions. An attacker with administrator privileges, after gaining access, can exploit this vulnerability to execute arbitrary commands. The vulnerability has been addressed in the following versions: QTS 5.2.9.3410 build 20260214 and later, QuTS hero h5.2.9.3410 build 20260214 and later, QuTS hero h5.3.4.3500 build 20260520 and later, and QuTS hero h6.0.0.3397 build 20260206 and later.

Vendor: QNAP Systems Inc.
Product: QTS
CVSS: HIGH 8.6
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-10
Original CVE updated: 2026-06-10
Advisory published: 2026-06-10
Advisory updated: 2026-06-10

Who should care

Administrators and users of QNAP operating systems, particularly those using versions prior to QTS 5.2.9.3410 build 20260214, QuTS hero h5.2.9.3410 build 20260214, QuTS hero h5.3.4.3500 build 20260520, and QuTS hero h6.0.0.3397 build 20260206.

Technical summary

The vulnerability, tracked as CVE-2025-66273, allows an attacker with administrator privileges to execute arbitrary commands after gaining access. It is categorized under CWE-78 and has a CVSS score of 8.6, indicating high severity.

Defensive priority

High

Recommended defensive actions

Upgrade to the fixed versions: QTS 5.2.9.3410 build 20260214 or later, QuTS hero h5.2.9.3410 build 20260214 or later, QuTS hero h5.3.4.3500 build 20260520 or later, and QuTS hero h6.0.0.3397 build 20260206 or later.
Restrict access to administrator accounts to minimize the risk of exploitation.
Monitor QNAP security advisories for further updates and patches.

Evidence notes

The CVE-2025-66273 vulnerability was reported to affect several QNAP operating system versions. The vendor, QNAP, has provided fixes for this issue in the specified versions.

Official resources

CVE-2025-66273 was published on 2026-06-10T04:17:12.057Z and modified on 2026-06-10T19:43:28.857Z.