QTS, QuTS hero_CVE-2025-66277

9.2 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

A link following vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to traverse the file system to unintended locations.

We have already fixed the vulnerability in the following versions:
QTS 5.2.8.3350 build 20251216 and later
QuTS hero h5.3.2.3354 build 20251225 and later
QuTS hero h5.2.8.3350 build 20251216 and later

AI Analysis

Link following vulnerability allowing remote attackers to traverse the file system to unintended locations

Basic Information

ID CVE-2025-66277

Source qnap

Published Feb 11, 2026 at 12:15

Affected Product

Vendor QNAP Systems Inc.

Product QTS

Version 5.2.x

Affected Versions QNAP Systems Inc. QTS 5.2.x
QNAP Systems Inc. QuTS hero h5.3.x
QNAP Systems Inc. QuTS hero h5.2.x

CWE Classification

CWE-59

AI Assessment

AI Score 9.2 / 10

AI Severity Critical

Vendor QNAP Systems Inc.

Product QTS, QuTS hero

Version 5.2.x, h5.3.x, h5.2.x

References

www.qnap.com /en/security-advisory/qsa-26-05

{
    "lastseen": "",
    "description": "A link following vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to traverse the file system to unintended locations.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.8.3350 build 20251216 and later\nQuTS hero h5.3.2.3354 build 20251225 and later\nQuTS hero h5.2.8.3350 build 20251216 and later",
    "published": "2026-02-11T12:15:43.851Z",
    "modified": "2026-02-11T12:15:43.851Z",
    "type": "cve",
    "title": "QTS, QuTS hero",
    "source": "qnap",
    "references": "https://www.qnap.com/en/security-advisory/qsa-26-05",
    "id": "CVE-2025-66277",
    "bulletinFamily": "",
    "cwe": [
        "CWE-59"
    ],
    "cvelist": null,
    "sourceData": "QNAP Systems Inc. QTS 5.2.x\nQNAP Systems Inc. QuTS hero h5.3.x\nQNAP Systems Inc. QuTS hero h5.2.x",
    "sourceHref": "",
    "cvss": {
        "score": 9.2,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "QTS",
    "version": "5.2.x",
    "vendor": "QNAP Systems Inc.",
    "ai_description": "Link following vulnerability allowing remote attackers to traverse the file system to unintended locations",
    "ai_severity": "Critical",
    "ai_vendor": "QNAP Systems Inc.",
    "ai_product": "QTS, QuTS hero",
    "ai_version": "5.2.x, h5.3.x, h5.2.x",
    "ai_score": 9.2
}