Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66273

CVE-2025-66273: QNAP OS Command Injection Vulnerability

CVE-2025-66273 is a command injection vulnerability in QNAP operating systems that allows authenticated administrators to execute arbitrary commands. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-66273 Overview

CVE-2025-66273 is a command injection vulnerability (CWE-78) affecting multiple QNAP operating system versions. A remote attacker who has obtained an administrator account can exploit the flaw to execute arbitrary operating system commands on the target device. QNAP has released fixed builds across QTS and QuTS hero product lines.

Critical Impact

Authenticated administrators can execute arbitrary commands on QNAP network-attached storage (NAS) devices, leading to full compromise of stored data and the underlying operating system.

Affected Products

  • QNAP QTS versions prior to 5.2.9.3410 build 20260214
  • QNAP QuTS hero versions prior to h5.2.9.3410 build 20260214, h5.3.4.3500 build 20260520, and h6.0.0.3397 build 20260206
  • QNAP NAS appliances running the affected QTS or QuTS hero firmware

Discovery Timeline

  • 2026-06-10 - CVE-2025-66273 published to the National Vulnerability Database (NVD)
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2025-66273

Vulnerability Analysis

The vulnerability is classified as Improper Neutralization of Special Elements used in an OS Command (CWE-78). User-supplied input reaches an underlying operating system shell without sufficient sanitization. An authenticated administrator can inject shell metacharacters into a vulnerable parameter to break out of the intended command context.

Successful exploitation grants the attacker the ability to run arbitrary commands with the privileges of the QNAP service process. On QNAP NAS appliances, this typically translates to high-privilege access to the host operating system, configuration data, and stored files. The EPSS probability for this CVE is 0.521%.

Root Cause

The root cause is the construction of operating system commands using untrusted input without proper escaping or use of parameterized APIs. Affected QTS and QuTS hero components concatenate attacker-controlled data into shell command strings, allowing injection of additional commands through metacharacters such as ;, |, &, or backticks.

Attack Vector

The attack vector is network-based and requires high privileges, specifically a valid administrator account on the QNAP device. No user interaction is needed once authenticated. Attackers can reach the vulnerable endpoint through the QNAP web management interface exposed on the local network or, in misconfigured deployments, over the internet.

No verified public proof-of-concept code is currently available. Refer to the QNAP Security Advisory QSA-26-10 for vendor technical details.

Detection Methods for CVE-2025-66273

Indicators of Compromise

  • Unexpected child processes spawned by QNAP web management or system daemons, particularly shells such as sh, bash, or busybox.
  • Administrator session activity originating from unusual source IP addresses or geolocations.
  • New or modified cron jobs, startup scripts, or SSH authorized_keys entries on the QNAP appliance.

Detection Strategies

  • Monitor QNAP system logs and web access logs for administrator API calls containing shell metacharacters such as ;, |, &&, $(), or backticks.
  • Alert on unexpected outbound connections initiated by NAS appliances, which may indicate post-exploitation command-and-control activity.
  • Track administrator login events and correlate with subsequent process creation on the device.

Monitoring Recommendations

  • Forward QNAP syslog and audit data to a centralized logging or SIEM platform for retention and correlation.
  • Establish a baseline of normal administrator activity and flag deviations such as off-hours logins or rapid configuration changes.
  • Review firewall logs for management interface access from untrusted networks.

How to Mitigate CVE-2025-66273

Immediate Actions Required

  • Update affected QNAP devices to QTS 5.2.9.3410 build 20260214 or later, or the corresponding patched QuTS hero builds listed in the vendor advisory.
  • Restrict access to the QNAP administrative interface to trusted management networks only and remove any internet exposure.
  • Audit administrator accounts, remove unused accounts, and rotate passwords for all remaining administrators.

Patch Information

QNAP has released fixed builds: QTS 5.2.9.3410 build 20260214 and later, QuTS hero h5.2.9.3410 build 20260214 and later, QuTS hero h5.3.4.3500 build 20260520 and later, and QuTS hero h6.0.0.3397 build 20260206 and later. Apply the appropriate update through the QNAP Control Panel or follow the procedure described in QNAP Security Advisory QSA-26-10.

Workarounds

  • Enforce multi-factor authentication on all QNAP administrator accounts to reduce the risk of credential-based compromise.
  • Disable the QNAP web administration interface on untrusted network segments until patches are applied.
  • Place QNAP devices behind a VPN or jump host so the management plane is not directly reachable from end-user networks.
bash
# Verify the running QTS or QuTS hero version on the appliance
getcfg -f /etc/config/uLinux.conf System Version
getcfg -f /etc/config/uLinux.conf System "Build Number"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne