PatchSiren cyber security CVE debrief
CVE-2025-66274 QNAP Systems Inc. CVE debrief
CVE-2025-66274 is a NULL pointer dereference vulnerability affecting several QNAP operating system versions. A remote attacker with administrator privileges can exploit this vulnerability to launch a denial-of-service (DoS) attack. The vulnerability has been fixed in QTS 5.2.9.3410 build 20260214 and later, QuTS hero h5.2.9.3410 build 20260214 and later, QuTS hero h5.3.2.3354 build 20251225 and later, and QuTS hero h6.0.0.3397 build 20260206 and later.
- Vendor
- QNAP Systems Inc.
- Product
- QTS
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-11
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-02-11
- Advisory updated
- 2026-06-09
Who should care
Administrators of QNAP operating systems, particularly those using versions prior to the fixed versions mentioned above.
Technical summary
The vulnerability is a NULL pointer dereference, which can be exploited by a remote attacker with administrator privileges to launch a DoS attack. The CVSS score for this vulnerability is 5.1, indicating a medium severity.
Defensive priority
Medium
Recommended defensive actions
- Update to QTS 5.2.9.3410 build 20260214 or later
- Update to QuTS hero h5.2.9.3410 build 20260214 or later
- Update to QuTS hero h5.3.2.3354 build 20251225 or later
- Update to QuTS hero h6.0.0.3397 build 20260206 or later
Evidence notes
The vulnerability has been reported by QNAP and is tracked under CVE-2025-66274. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Official resources
-
CVE-2025-66274 CVE record
CVE.org
-
CVE-2025-66274 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
CVE-2025-66274 was published on 2026-02-11T13:15:58.243Z and modified on 2026-06-09T08:16:26.640Z.