CVE-2025-66279 QNAP Systems Inc. CVE debrief

Who should care

Administrators and users of QNAP operating systems, particularly those using versions prior to the patched releases, should be aware of this vulnerability and take immediate action to update their systems.

Technical summary

The vulnerability, tracked as CVE-2025-66279, has a CVSS score of 8.6, indicating a high severity level. It allows an attacker to inject commands if they have administrator-level access. The Common Weakness Enumeration (CWE) for this vulnerability is CWE-78, which pertains to improper neutralization of special elements used in an OS command.

Defensive priority

High

Recommended defensive actions

• Update QTS to version 5.2.9.3410 build 20260214 or later
• Update QuTS hero h5.2.9 to version 5.2.9.3410 build 20260214 or later
• Update QuTS hero h5.3.4 to version 5.3.4.3500 build 20260520 or later
• Update QuTS hero h6.0.0 to version 6.0.0.3397 build 20260206 or later

Evidence notes

The information provided is based on data from official sources, including [cve-org](https://www.cve.org/CVERecord?id=CVE-2025-66279), [nvd](https://nvd.nist.gov/vuln/detail/CVE-2025-66279), and [ref-4](https://www.qnap.com/en/security-advisory/qsa-26-10).

Official resources