CVE-2025-66276
published 2026-06-10CVE-2025-66276: QuTS hero is not affected. We have already fixed the vulnerability in the following version: QTS 5.2.7.3256 build 20250913 and later
PriorityP355critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.29%
20.7th percentile
QuTS hero is not affected.
We have already fixed the vulnerability in the following version:
QTS 5.2.7.3256 build 20250913 and later
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qnap | qts | >= 4.3.0 < 5.2.7.3256 | 5.2.7.3256 |
| qnap_systems_inc | qts | >= 5.2.0 < 5.2.7.3256 build 20250913 | 5.2.7.3256 build 20250913 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
QNAP QTS/QuTS hero 5.2.7.3256 Remote Code Execution (qsa-25-56)
vuldb·2026-06-15·CVSS 9.8
CVE-2025-66276 [CRITICAL] QNAP QTS/QuTS hero 5.2.7.3256 Remote Code Execution (qsa-25-56)
A vulnerability was found in QNAP QTS and QuTS hero 5.2.7.3256. It has been classified as critical. The impacted element is an unknown function. The manipulation leads to Remote Code Execution.
This vulnerability is referenced as CVE-2025-66276. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is recommended.
GHSA
QuTS hero is not affected.
ghsa_unreviewed·2026-06-10
CVE-2025-66276 [CRITICAL] QuTS hero is not affected.
QuTS hero is not affected.
We have already fixed the vulnerability in the following version:
QTS 5.2.7.3256 build 20250913 and later
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-10
Published