CVE-2025-66279
A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to...
Affects 0 products across 1 vendor.
Attacker injects OS commands through application inputs passed to system() or equivalent calls, leading to arbitrary command execution.
CVE-2025-66279 is a command injection vulnerability affecting multiple QNAP QTS and QuTS hero NAS operating system versions. An attacker who has obtained administrator-level access can exploit this flaw to execute arbitrary system commands on the affected device. In OT environments where QNAP NAS devices are used for historian data storage, backup, or file sharing, successful exploitation could lead to data destruction, lateral movement, or disruption of critical operational data repositories.
Is this CVE in your environment?
BreachSpider monitors your ICS/OT environment for vulnerabilities like this one. No agents or network access required. Free to start.
Check My Environment →What is CVE-2025-66279?
Is CVE-2025-66279 actively exploited?
How do I remediate CVE-2025-66279?
What systems are affected by CVE-2025-66279?
| CVE ID | CVE-2025-66279 |
|---|---|
| Published | 2026-06-10 |
| Last Modified | 2026-06-10 |
| ICS Relevance | 70% |
| Weakness (CWE) | |
| Source | NVD |
A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later
Source: NIST NVD / MITRE CVE Database
| Vendor | Product | Fixed Version |
|---|---|---|
| Qnap | — | — |
Fixed Version: QTS 5.2.9.3410 build 20260214; QuTS hero h5.2.9.3410 build 20260214; QuTS hero h5.3.4.3500 build 20260520; QuTS hero h6.0.0.3397 build 20260206
QNAP patched command injection vulnerabilities across QTS and QuTS hero operating system lines by fixing improper input handling in administrative functions, preventing authenticated administrators from injecting and executing arbitrary OS-level commands through the management interface.
View Vendor Advisory →| CISA KEV | Not in KEV catalog |
|---|---|
| Public Exploit | Not confirmed |
| PoC Code | Not confirmed |
Deploy IDS/IPS rules at the network perimeter and OT DMZ firewall inspecting HTTP/HTTPS traffic destined for QNAP management interfaces. Block access to QNAP administrative ports (80, 443, 8080, 8443) from all untrusted networks. Use a WAF or next-generation firewall with deep packet inspection to detect shell metacharacters in POST request bodies targeting CGI or API endpoints. Restrict administrative access to a dedicated jump host on a hardened management VLAN.
No reliable network detection signature exists for this vulnerability class — apply the compensating controls above and the vendor patch. SAGE only publishes a network rule when a concrete on-the-wire signature can be grounded in the advisory.
Virtual patch generated by CITED Relevance SAGE. Validate in isolated environment before production deployment. Compensating control only - does not replace vendor patch.
ICS/OT Vulnerability Intelligence for Your Environment
BreachSpider monitors 353,228 CVEs across ICS/OT vendors. SAGE-enriched alerts with virtual patches, NERC-CIP mapping, and PSIRT contacts delivered to your SIEM in minutes.
Join free →