QTS, QuTS hero
Summary
| CVE | CVE-2025-59381 |
|---|---|
| State | PUBLISHED |
| Assigner | qnap |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-01-02 16:17:00 UTC |
| Updated | 2026-06-09 08:16:26 UTC |
| Description | A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later QuTS hero h5.3.2.3354 build 20251225 and later |
Risk And Classification
Primary CVSS: v4.0 6.9 MEDIUM from [email protected]
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS: 0.003920000 probability, percentile 0.307590000 (date 2026-06-15)
Problem Types: CWE-22 | CWE-22 CWE-22
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 4.0 | [email protected] | Secondary | 6.9 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/C... |
| 4.0 | CNA | CVSS | 6.9 | MEDIUM | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| 3.1 | [email protected] | Primary | 4.9 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N |
CVSS v4.0 Breakdown
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Operating System | Qnap | Qts | 5.2.0.2737 | build_20240417 | All | All |
| Operating System | Qnap | Qts | 5.2.0.2744 | build_20240424 | All | All |
| Operating System | Qnap | Qts | 5.2.0.2782 | build_20240601 | All | All |
| Operating System | Qnap | Qts | 5.2.0.2802 | build_20240620 | All | All |
| Operating System | Qnap | Qts | 5.2.0.2823 | build_20240711 | All | All |
| Operating System | Qnap | Qts | 5.2.0.2851 | build_20240808 | All | All |
| Operating System | Qnap | Qts | 5.2.0.2860 | build_20240817 | All | All |
| Operating System | Qnap | Qts | 5.2.1.2930 | build_20241025 | All | All |
| Operating System | Qnap | Qts | 5.2.2.2950 | build_20241114 | All | All |
| Operating System | Qnap | Qts | 5.2.3.3006 | build_20250108 | All | All |
| Operating System | Qnap | Qts | 5.2.4.3070 | build_20250312 | All | All |
| Operating System | Qnap | Qts | 5.2.4.3079 | build_20250321 | All | All |
| Operating System | Qnap | Qts | 5.2.4.3092 | build_20250403 | All | All |
| Operating System | Qnap | Qts | 5.2.5.3145 | build_20250526 | All | All |
| Operating System | Qnap | Qts | 5.2.6.3195 | build_20250715 | All | All |
| Operating System | Qnap | Qts | 5.2.6.3229 | build_20250818 | All | All |
| Operating System | Qnap | Qts | 5.2.7.3256 | build_20250913 | All | All |
| Operating System | Qnap | Qts | 5.2.7.3297 | build_20251024 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.0.2737 | build_20240417 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.0.2782 | build_20240601 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.0.2789 | build_20240607 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.0.2802 | build_20240620 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.0.2823 | build_20240711 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.0.2851 | build_20240808 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.0.2860 | build_20240817 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.1.2929 | build_20241025 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.1.2940 | build_20241105 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.2.2952 | build_20241116 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.3.3006 | build_20250108 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.4.3070 | build_20250312 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.4.3079 | build_20250321 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.5.3138 | build_20250519 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.6.3195 | build_20250715 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.7.3256 | build_20250913 | All | All |
| Operating System | Qnap | Quts Hero | h5.2.7.3297 | build_20251024 | All | All |
| Operating System | Qnap | Quts Hero | h5.3.0.3115 | build_20250430 | All | All |
| Operating System | Qnap | Quts Hero | h5.3.0.3145 | build_20250530 | All | All |
| Operating System | Qnap | Quts Hero | h5.3.0.3192 | build_20250716 | All | All |
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | QNAP Systems Inc. | QTS | affected 5.2.0 5.2.8.3332 build 20251128 custom | Not specified |
| CNA | QNAP Systems Inc. | QuTS Hero | affected h5.2.0 h5.2.8.3321 build 20251117 custom | Not specified |
| CNA | QNAP Systems Inc. | QuTS Hero | affected h5.3.0 h5.3.2.3354 build 20251225 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.qnap.com/en/security-advisory/qsa-25-51 | [email protected] | www.qnap.com | Vendor Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: coral (en)
Additional Advisory Data
Solutions
CNA: We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later QuTS hero h5.3.2.3354 build 20251225 and later