External risk intelligence

QNAP QTS Remote Code Execution Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2025-66276

A critical remote code execution vulnerability exists in QNAP QTS, a network-attached storage operating system. If reachable, this flaw could allow an unauthenticated attacker to gain unauthorized control of affected systems, impacting data confidentiality, integrity, and availability. Confirmation of exposure and prom

4Halo Surface Signal

Qnap Qts

4.3.0 to before 5.2.7.3256

External exposure likelihood

Halo Surface Signal score for CVE-2025-66276

The vulnerability affects QNAP QTS, an operating system designed for network-attached storage (NAS) devices. These devices are frequently deployed as internet-facing appliances, often exposed to the public internet to facilitate remote access to files, management interfaces, or web services.

PCI scan relevance

PCI Relevance for CVE-2025-66276

Yes

CVE-2025-66276 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability is PCI scan-relevant as it could lead to an automatic failure of an ASV scan due to a critical remote code execution risk.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified affecting QNAP QTS, a network-attached storage operating system. This issue could allow unauthorized access and control over affected systems, potentially impacting data integrity and system availability. The primary concern is to confirm if your QNAP devices are running the affected software and require immediate attention.

  • Software flaw permits unauthorized system access.
  • QNAP devices are often internet-facing.
  • Confirm exposure and apply updates promptly.

Attack Path

How an attacker could exploit the issue

An attacker could reach this vulnerability by exploiting an unauthenticated network-accessible component of the affected system. This would allow them to directly trigger the vulnerability, potentially leading to significant compromise of the system's confidentiality, integrity, and availability.

  • No authentication required.
  • Triggered via network exposure.
  • Severe impact to confidentiality, integrity, availability.

Live Threat

Current exploitation, exposure, and threat context

The vulnerability could impact the integrity and confidentiality of data stored on affected QNAP devices when they are exposed to the network.

  • System data and service integrity at risk.
  • Remote network access could lead to exposure.
  • Unauthorized data modification or access.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

QuTS hero is not affected by this vulnerability. The first step for affected systems is to identify all instances of QTS, determine their reachability and criticality, and assign an owner for remediation. Subsequent actions will depend on this initial assessment and risk analysis.

  • Identify QTS system owners.
  • Verify system reachability and criticality.
  • Plan remediation based on risk.

Frequently asked questions

What is QNAP QTS?

QNAP QTS is the primary operating system used in many network-attached storage (NAS) devices. It provides the core functionality that allows users to manage files, configure storage, and run various applications on the hardware. It is distinct from QNAP’s other operating system, QuTS hero, which is not affected by this vulnerability.

How does CVE-2025-66276 impact system security?

This vulnerability allows an unauthorized attacker to gain remote control over a target system. Because the flaw grants high-level access without requiring a password or login, it could allow an attacker to modify or access the data stored on the NAS, or disrupt the device's availability entirely.

Can this vulnerability be triggered without network access?

No. The vulnerability requires the system to be reachable over a network to be triggered. If a device is kept on a private, isolated network with no access from the broader internet or untrusted users, the opportunity for an attacker to initiate the attack sequence is significantly reduced.

Why does Halo Surface Signal categorize this as an external risk?

Halo Surface Signal flags this as an external risk because QNAP NAS devices are frequently configured to be internet-facing. When these management interfaces are exposed to the public internet, they become reachable by remote attackers, increasing the likelihood that they could encounter and exploit this vulnerability.

What is the recommended first step for QTS users?

The immediate priority is to verify if your device is running the affected version of QTS. Start by identifying all QTS instances in your environment, assessing whether they are exposed to the network, and checking the system build version. If your device is running an version earlier than 5.2.7.3256, you should plan to apply the update provided by the vendor.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified