HIGH 7.2

CVE-2025-66281: QNAP NULL Pointer Dereference DoS Vulnerability (HIGH)

CVE-2025-66281 is a NULL pointer dereference vulnerability affecting QNAP NAS operating systems. When triggered, the flaw causes the application to crash, resulting in a denial-of-service condition. An attacker with high-level administrative privileges can remotely exploit this to disrupt NAS availability. While the vulnerability requires elevated credentials to trigger, the impact is immediate and can leave your storage infrastructure offline until patched.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-476
Affected products
2 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability exploits a NULL pointer dereference (CWE-476) in multiple QNAP OS versions. The flaw exists in code that fails to validate pointer initialization before dereferencing, allowing a high-privileged remote attacker to cause an unhandled exception and crash the service. The CVSS 3.1 score of 7.2 reflects the combination of high-privilege requirement (PR:H), network accessibility (AV:N), and severe impact across confidentiality, integrity, and availability (C:H/I:H/A:H).

Business impact

A successful exploitation leads to immediate unavailability of QNAP NAS devices, disrupting backup operations, file service delivery, and any dependent applications. For organizations relying on QNAP for critical backup or archive functions, even brief downtime can cascade into recovery delays and SLA violations. The high-privilege requirement somewhat limits exposure, but internal threats or compromised admin accounts pose real risk.

Affected systems

QNAP QTS and QuTS hero operating system families are affected across multiple major versions. Patched versions are available: QTS 5.2.9.3410 build 20260214 and later; QuTS hero h5.2.9.3410 build 20260214 and later; QuTS hero h5.3.4.3500 build 20260520 and later; and QuTS hero h6.0.0.3397 build 20260206 and later. Any system running earlier builds of these series requires urgent attention.

Exploitability

Exploitation requires high-privilege credentials (administrator level), significantly reducing the attack surface compared to unauthenticated vulnerabilities. However, the vulnerability is not marked for inclusion in CISA's Known Exploited Vulnerabilities catalog, meaning active exploitation in the wild has not been confirmed at publication. The network-accessible nature and deterministic crash behavior suggest that once an attacker gains admin access through other means, weaponization would be straightforward.

Remediation

Apply the vendor-supplied patches immediately to move to patched builds. For QTS users, update to 5.2.9.3410 build 20260214 or later. QuTS hero users should upgrade based on their current version: h5.2.9.3410 (build 20260214+), h5.3.4.3500 (build 20260520+), or h6.0.0.3397 (build 20260206+). Test patches in a non-production environment first, particularly if the NAS is actively serving critical backup or data sharing roles.

Patch guidance

QNAP has released firmware updates addressing this flaw across affected product lines. Consult the official QNAP security advisory to confirm which build corresponds to your hardware model and current OS version, then schedule updates during a maintenance window to minimize disruption. Monitor QNAP's security notification channels for any rollback notices or unexpected issues with the patched builds.

Detection guidance

Monitor NAS system logs for unexpected crashes, reboot events, or service interruptions that correlate with administrative access patterns. Network monitoring can flag unusual connections to NAS management ports from unexpected sources. Because exploitation requires high privilege, detection should focus on anomalous admin activity, credential compromise indicators, and unusual remote access to management interfaces.

Why prioritize this

Although a HIGH severity rating and network accessibility might suggest maximum urgency, the requirement for high-privilege credentials substantially reduces practical risk for most organizations. Prioritize this based on: (1) whether your NAS infrastructure is exposed to untrusted admin users or if admin credentials are at elevated compromise risk; (2) the business criticality of NAS uptime; and (3) your change management cycle. Organizations with strong administrative access controls and isolated NAS management networks can schedule patching within normal maintenance windows rather than emergency response.

Risk score, explained

The CVSS 3.1 score of 7.2 (HIGH) reflects the combination of network accessibility (AV:N), low attack complexity (AC:L), and severe impact on availability, confidentiality, and integrity. However, the PR:H (high privilege requirement) constraint is critical context: it limits the practical threat actor pool and acknowledges that most denial-of-service impact depends on admin credential compromise or insider threats, not widespread exploitation of unauthenticated interfaces.

Frequently asked questions

Do I need to patch this immediately, or can I schedule it?

The high-privilege requirement means you can typically schedule this during a planned maintenance window rather than declare an emergency. However, if your NAS admin credentials are shared, stored in accessible locations, or if you have concerns about insider threats, expedite the patch. Assess your credential security posture first.

Is there a workaround if I cannot patch right away?

No technical workaround has been disclosed. The only mitigation is to restrict administrative access to trusted, authenticated users and monitor for unusual admin activity. Isolate NAS management traffic on a separate, secured network if possible.

Why does CVSS show C:H and I:H impact when this is mainly a DoS (availability issue)?

The CVSS vector indicates the potential impact scope if an attacker exploits the vulnerability—confidentiality and integrity are marked high because administrative-level access can affect data. However, in this specific case, the exploit manifests as a crash, so availability impact is the primary real-world concern.

Are QNAP providing any telemetry or detection signatures for this flaw?

Consult the official QNAP security advisory and check their detection/monitoring guidance. Some vendors release IDS signatures or log indicators; verify directly with QNAP or your NAS vendor support.

This analysis is based on information available as of June 2026 and reflects vendor advisories and CVSS scoring at that time. Patch versions, build dates, and affected product lists should be verified directly against QNAP's official security advisory before deployment. No exploit code or weaponized proof-of-concept is provided. Organizations should evaluate their specific NAS deployment, admin credential security, and business impact before prioritizing patches. SEC.co does not guarantee the completeness or accuracy of third-party vendor information and recommends confirming all technical details with QNAP support. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).