What is the most critical vulnerability in the QNAP advisory?

The most critical flaw is CVE-2025-66277 (CVSS 9.8), a path traversal vulnerability that allows remote attackers to access protected areas of the file system.

Which QNAP operating systems are affected?

The vulnerabilities affect QTS 5.2.x and QuTS hero h5.2.x versions prior to the latest security builds.

Do these vulnerabilities require authentication to exploit?

Some vulnerabilities, such as CVE-2025-47205 and CVE-2025-58466, require the attacker to first gain access to an administrator account.

How can I update my QNAP NAS to fix these flaws?

Log in as an administrator, go to Control Panel > System > Firmware Update, and click Check for Update to install the latest firmware.

Advisory

QNAP Patches Muliple Flaws in NAS Operating Systems, One Critical

Q: What are the fixed versions for QNAP NAS?

The issues are resolved in QTS 5.2.8.3350 build 20251216, QuTS hero h5.2.8.3350 build 20251216, and QuTS hero h5.3.2.3354 build 20251225.

published: Feb. 14, 2026

Take action: As usual, first step is to isolate your QNAP NAS from the public internet and accessible only from trusted networks, with strong credentials. Then plan an update.

Learn More

QNAP released security updates for its QTS and QuTS hero operating systems to fix multiple vulnerabilities, including a critical path traversal flaw. These flaws primarily affect network-attached storage (NAS) devices used in both home and enterprise environments for data management and backups.

Vulnerabilities summary:

CVE-2025-66277 (CVSS score 9.8) - A link following vulnerability that functions as a path traversal attack. By exploiting improper validation of symbolic links or file paths, remote attackers can navigate outside of intended directories to access protected areas of the file system. This allows for the disclosure of sensitive data or potential system compromise.
CVE-2025-48725 (CVSS score 8.1) - A high-severity vulnerability affecting QNAP operating systems. Technical details are not disclosed in the advisory.
CVE-2025-47205 (CVSS score 7.5) - A NULL pointer dereference vulnerability triggered during specific system operations. If a remote attacker gains administrator credentials, they can use this flaw to crash the system service, resulting in a persistent denial-of-service state.
CVE-2025-58466 (CVSS score 4.9) - A use of uninitialized variable vulnerability that allows for control flow manipulation. An authenticated attacker with administrative rights can exploit this to cause system instability or modify the execution path of internal processes.
CVE-2025-66274 (CVSS score 4.9) and CVE-2025-59386 (CVSS score 4.9) - Vulnerabilities that enable denial-of-service conditions.

The vulnerabilities affect QTS 5.2.x and QuTS hero h5.2.x branches in versions prior to the December 2025 and January 2026 builds.

The flaws are resolved in QTS 5.2.8.3350 build 20251216, QuTS hero h5.2.8.3350 build 20251216, and QuTS hero h5.3.2.3354 build 20251225.

Users should update their NAS firmware to the latest available versions through the QTS or QuTS hero Control Panel. Navigate to Control Panel > System > Firmware Update and select "Check for Update" to install the patches.

Administrators can manually download the update packages from the QNAP Download Center.

QNAP Patches Muliple Flaws in NAS Operating Systems, One Critical

Read More
Adobe releases emergency updates for Adobe Experience Manager …
Critical Remote Code Execution Vulnerability in OpenSSH's Server
Palo Alto Networks alerts of critical PAN-OS firewall …
Critical session management vulnerability reported in Apache Roller
OpenSSL Patches 12 Vulnerabilities Including One Critical RCE