PatchSiren cyber security CVE debrief
CVE-2025-66281 QNAP CVE debrief
CVE-2025-66281 is a NULL pointer dereference vulnerability reported in several QNAP operating system versions. This vulnerability allows remote attackers to launch a denial-of-service (DoS) attack. The vulnerability has been fixed in the following versions: QTS 5.2.9.3410 build 20260214 and later, QuTS hero h5.2.9.3410 build 20260214 and later, QuTS hero h5.3.4.3500 build 20260520 and later, and QuTS hero h6.0.0.3397 build 20260206 and later.
- Vendor
- QNAP
- Product
- QTS
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Users of affected QNAP operating system versions should update to the fixed versions to prevent exploitation.
Technical summary
The vulnerability is a NULL pointer dereference, which can be exploited to launch a denial-of-service (DoS) attack. The CVSS score is 6.9, and the severity is MEDIUM.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to QTS 5.2.9.3410 build 20260214 or later
- Update to QuTS hero h5.2.9.3410 build 20260214 or later
- Update to QuTS hero h5.3.4.3500 build 20260520 or later
- Update to QuTS hero h6.0.0.3397 build 20260206 or later
Evidence notes
The vulnerability was reported by an unknown vendor, but evidence suggests that QNAP is the affected vendor.
Official resources
-
CVE-2025-66281 CVE record
CVE.org
-
CVE-2025-66281 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2025-66281 was published on 2026-06-10T04:17:14.383Z and modified on 2026-06-10T19:43:28.857Z.