The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-66277

CVE-2025-66277: QNAP QTS Path Traversal Vulnerability

CVE-2025-66277 is a link following path traversal vulnerability in QNAP QTS that allows remote attackers to access unintended file system locations. This article covers technical details, affected versions, and mitigation.

Published: February 13, 2026

CVE-2025-66277 Overview

A link following vulnerability (CWE-59) has been identified in multiple QNAP Network Attached Storage (NAS) operating system versions. This critical security flaw allows remote attackers to exploit improper handling of symbolic or hard links to traverse the file system to unintended locations. The vulnerability affects both QNAP QTS and QuTS hero operating systems across numerous build versions.

Link following vulnerabilities, also known as symlink attacks, occur when an application follows a symbolic link to access a file or directory, but fails to properly validate that the destination is within the intended scope. In this case, remote attackers can leverage this weakness to access sensitive files, configuration data, or system directories that should be protected from unauthorized access.

Critical Impact

Remote attackers can exploit this vulnerability to traverse the file system to unintended locations, potentially accessing sensitive data, configuration files, or system resources on affected QNAP NAS devices.

Affected Products

  • QNAP QTS versions prior to 5.2.8.3350 build 20251216
  • QNAP QuTS hero versions prior to h5.3.2.3354 build 20251225
  • QNAP QuTS hero versions prior to h5.2.8.3350 build 20251216

Discovery Timeline

  • 2026-02-11 - CVE-2025-66277 published to NVD
  • 2026-02-12 - Last updated in NVD database

Technical Details for CVE-2025-66277

Vulnerability Analysis

This link following vulnerability represents a significant security risk for QNAP NAS deployments, particularly those exposed to network access. The flaw enables remote attackers to manipulate file system operations by exploiting how the operating system resolves symbolic or hard links.

The vulnerability is network-accessible, meaning attackers do not require physical access to the device. While some attack preconditions exist, the exploitation does not require authentication or user interaction, making it particularly dangerous for internet-exposed NAS devices. Successful exploitation can result in high impacts to confidentiality, integrity, and availability of the affected system.

QNAP NAS devices are commonly used in both enterprise and home environments to store critical data, including backups, sensitive documents, and media files. The ability to traverse the file system to unintended locations could allow attackers to read sensitive configuration files containing credentials, access protected user data, or potentially modify critical system files.

Root Cause

The root cause of CVE-2025-66277 is improper link resolution in the affected QNAP operating systems (CWE-59: Improper Link Resolution Before File Access). When the system processes file operations involving symbolic links or hard links, it fails to adequately validate that the resolved target path remains within the intended directory boundaries.

This type of vulnerability typically arises when:

  • The application does not canonicalize paths before performing access checks
  • Symbolic link resolution occurs after permission validation
  • Race conditions exist between link validation and file access
  • Insufficient restrictions are placed on link creation in user-accessible directories

Attack Vector

The attack vector for this vulnerability is network-based, allowing remote exploitation. An attacker can exploit this vulnerability by crafting malicious requests that include specially constructed symbolic or hard links designed to escape the intended file system boundaries.

The exploitation scenario involves the attacker creating or manipulating symbolic links to point to sensitive locations outside the permitted directory structure. When the vulnerable QNAP service follows these links, it inadvertently provides access to protected file system locations.

Given that no verified code examples are available, the exploitation mechanism generally involves:

  1. Identifying an endpoint or service that processes file paths
  2. Creating a symbolic link pointing to a sensitive target (e.g., /etc/shadow, /etc/passwd, or configuration files)
  3. Submitting a request that references the symbolic link
  4. The vulnerable service follows the link and provides access to the target location

For detailed technical information, refer to the QNAP Security Advisory QSA-26-05.

Detection Methods for CVE-2025-66277

Indicators of Compromise

  • Unusual file access patterns targeting system configuration directories such as /etc/ or sensitive data locations
  • Creation of unexpected symbolic links in web-accessible or user-writable directories
  • Log entries showing file access attempts to paths outside normal operational boundaries
  • Unexpected read operations on files containing credentials or sensitive system information

Detection Strategies

  • Monitor for symbolic link creation events in user-accessible directories using file integrity monitoring solutions
  • Implement network intrusion detection rules to identify path traversal patterns in requests to QNAP services
  • Review NAS access logs for unusual file access patterns or attempts to access restricted directories
  • Deploy SentinelOne Singularity to detect anomalous file system activity and potential exploitation attempts

Monitoring Recommendations

  • Enable verbose logging on QNAP NAS devices to capture detailed file access events
  • Configure alerts for access attempts to sensitive system files from web services
  • Monitor network traffic for suspicious patterns targeting QNAP management interfaces
  • Implement regular file integrity checks on critical system directories

How to Mitigate CVE-2025-66277

Immediate Actions Required

  • Update QNAP QTS to version 5.2.8.3350 build 20251216 or later immediately
  • Update QNAP QuTS hero to version h5.3.2.3354 build 20251225 or h5.2.8.3350 build 20251216 or later
  • Review network exposure and restrict external access to NAS management interfaces
  • Audit existing symbolic links in user-accessible directories for potential malicious entries

Patch Information

QNAP has released security patches that address this vulnerability. Administrators should update to the following fixed versions as documented in the QNAP Security Advisory QSA-26-05:

ProductFixed Version
QTS5.2.8.3350 build 20251216 and later
QuTS heroh5.3.2.3354 build 20251225 and later
QuTS heroh5.2.8.3350 build 20251216 and later

To update your QNAP device, navigate to Control Panel > System > Firmware Update and check for available updates, or download the firmware directly from the QNAP website.

Workarounds

  • Restrict network access to QNAP NAS devices by placing them behind a firewall and limiting access to trusted IP addresses only
  • Disable unnecessary network services and protocols that may expose the vulnerability
  • Avoid exposing QNAP management interfaces directly to the internet; use VPN for remote access
  • Implement network segmentation to isolate NAS devices from untrusted network segments
bash
# Example: Restrict QNAP web interface access using firewall rules
# Allow access only from trusted management network
iptables -A INPUT -p tcp --dport 8080 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
iptables -A INPUT -p tcp --dport 443 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypePath Traversal
  • Vendor/TechQnap Qts
  • SeverityCRITICAL
  • CVSS Score9.2
  • EPSS Probability0.08%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-59
  • Vendor Resources
  • QNAP Security Advisory QSA-26-05
  • Related CVEs
  • CVE-2025-59380: QNAP QTS Path Traversal Vulnerability
  • CVE-2025-59381: QNAP QTS Path Traversal Vulnerability
  • CVE-2024-14026: QNAP QTS Command Injection RCE Vulnerability
  • CVE-2025-58466: QNAP QTS DoS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English