CVE-2025-66281 Overview
CVE-2025-66281 is a NULL pointer dereference vulnerability [CWE-476] affecting multiple QNAP operating system versions. Remote attackers can exploit the flaw to trigger a denial-of-service (DoS) condition on impacted devices. The vulnerability requires no authentication and no user interaction. It is exploitable over the network. QNAP has released fixed builds across QTS and QuTS hero product lines.
Critical Impact
Unauthenticated remote attackers can cause a denial-of-service condition on QNAP NAS devices running affected QTS and QuTS hero builds.
Affected Products
- QNAP QTS versions prior to 5.2.9.3410 build 20260214
- QNAP QuTS hero h5.2.x and h5.3.x versions prior to the fixed builds
- QNAP QuTS hero h6.0.x versions prior to 6.0.0.3397 build 20260206
Discovery Timeline
- 2026-06-10 - CVE CVE-2025-66281 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2025-66281
Vulnerability Analysis
The vulnerability is classified as a NULL pointer dereference [CWE-476] in QNAP operating system services exposed over the network. When the affected code path receives a crafted request, it attempts to dereference a pointer that has not been validated or initialized. The resulting access of a NULL address aborts the affected process and disrupts service availability.
The impact is limited to availability. No information disclosure, integrity loss, or privilege escalation has been reported. QNAP's advisory describes the outcome as a denial-of-service condition, consistent with a process or service crash on the device.
Because the flaw is reachable without authentication, an attacker with network access to the appliance can repeatedly trigger the condition. NAS devices exposed to the internet are at higher risk.
Root Cause
The root cause is missing validation of a pointer prior to dereference within an affected service in QTS and QuTS hero. When the unvalidated pointer is NULL at the time of access, the kernel or service terminates abnormally. QNAP has not publicly disclosed the specific component or function involved.
Attack Vector
The attack vector is network-based. A remote, unauthenticated attacker sends a crafted request to a network-exposed service on the QNAP device. Successful exploitation causes a crash, requiring service or device restart to restore availability. Refer to the QNAP Security Advisory QSA-26-10 for vendor-specific technical details.
Detection Methods for CVE-2025-66281
Indicators of Compromise
- Unexpected service restarts or process crashes on QNAP NAS appliances
- Repeated connection attempts from external sources to QNAP management or service ports
- Kernel or daemon segmentation fault entries in system logs around the time of service disruption
Detection Strategies
- Monitor QNAP system logs for abnormal terminations and watchdog-triggered restarts of network services
- Correlate network telemetry with crash events to identify the source IP issuing malformed requests
- Track the firmware version of each QNAP device against the fixed builds listed in QSA-26-10
Monitoring Recommendations
- Centralize QNAP syslog forwarding to a SIEM and alert on repeated service crashes
- Track inbound traffic to NAS management interfaces from untrusted networks
- Inventory QNAP devices and their firmware versions to identify unpatched assets
How to Mitigate CVE-2025-66281
Immediate Actions Required
- Update affected devices to the fixed builds: QTS 5.2.9.3410 build 20260214 or later, QuTS hero h5.2.9.3410 build 20260214 or later, QuTS hero h5.3.4.3500 build 20260520 or later, and QuTS hero h6.0.0.3397 build 20260206 or later
- Restrict network exposure of QNAP management and service ports to trusted networks only
- Verify that automatic firmware update notifications are enabled on managed devices
Patch Information
QNAP has released firmware updates that remediate the vulnerability. Apply the following fixed versions per the QNAP Security Advisory QSA-26-10: QTS 5.2.9.3410 build 20260214 and later, QuTS hero h5.2.9.3410 build 20260214 and later, QuTS hero h5.3.4.3500 build 20260520 and later, and QuTS hero h6.0.0.3397 build 20260206 and later.
Workarounds
- Place QNAP devices behind a firewall and block unsolicited inbound traffic from the public internet
- Disable network services that are not in active use on the appliance
- Use a VPN for remote administrative access rather than exposing management interfaces directly
# Verify QNAP firmware version via SSH
getcfg System Version -f /etc/config/uLinux.conf
getcfg System "Build Number" -f /etc/config/uLinux.conf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
