PatchSiren cyber security CVE debrief

CVE-2025-66280 QNAP Systems Inc. CVE debrief

CVE-2025-66280 is a medium-severity vulnerability (CVSS score: 5.1) affecting several QNAP operating system versions. The vulnerability is caused by an integer overflow or wraparound weakness, which can be exploited by a remote attacker with administrator privileges to compromise the security of the system. QNAP has released patched versions to address this issue: QTS 5.2.9.3410 build 20260214 and later, QuTS hero h5.2.9.3410 build 20260214 and later, QuTS hero h5.3.4.3500 build 20260520 and later, and QuTS hero h6.0.0.3397 build 20260206 and later.

Vendor: QNAP Systems Inc.
Product: QTS
CVSS: MEDIUM 5.1
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-10
Original CVE updated: 2026-06-10
Advisory published: 2026-06-10
Advisory updated: 2026-06-10

Who should care

Administrators and users of QNAP operating systems, particularly those using versions prior to the patched releases, should be aware of this vulnerability and take necessary actions to update their systems.

Technical summary

The vulnerability is caused by an integer overflow or wraparound weakness (CWE-121, CWE-190). A remote attacker with administrator privileges can exploit this vulnerability to compromise the security of the system.

Defensive priority

Medium

Recommended defensive actions

Update to QTS 5.2.9.3410 build 20260214 or later
Update to QuTS hero h5.2.9.3410 build 20260214 or later
Update to QuTS hero h5.3.4.3500 build 20260520 or later
Update to QuTS hero h6.0.0.3397 build 20260206 or later

Evidence notes

The CVE record and NVD detail can be found at [cve-org](https://www.cve.org/CVERecord?id=CVE-2025-66280) and [nvd](https://nvd.nist.gov/vuln/detail/CVE-2025-66280), respectively. Additional information is available at [ref-4](https://www.qnap.com/en/security-advisory/qsa-26-10).

Official resources

CVE-2025-66280 was published on 2026-06-10T04:17:12.420Z and modified on 2026-06-10T19:43:28.857Z.