CVE-2025-66281
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (D...
Affects 0 products across 1 vendor.
Software attempts to use a NULL pointer, causing a crash and denial of service.
A NULL pointer dereference vulnerability affects multiple QNAP operating system versions (QTS and QuTS hero), allowing unauthenticated remote attackers to trigger a denial-of-service condition by crashing the affected system. In OT environments, QNAP NAS devices are commonly used for historian data storage, backup, and file transfer operations; a successful DoS attack could disrupt data logging, backups, or inter-system file sharing critical to operational continuity. While the vulnerability does not enable code execution, availability impact in process-critical environments can be significant.
Is this CVE in your environment?
BreachSpider monitors your ICS/OT environment for vulnerabilities like this one. No agents or network access required. Free to start.
Check My Environment →What is CVE-2025-66281?
Is CVE-2025-66281 actively exploited?
How do I remediate CVE-2025-66281?
What systems are affected by CVE-2025-66281?
| CVE ID | CVE-2025-66281 |
|---|---|
| Published | 2026-06-10 |
| Last Modified | 2026-06-10 |
| ICS Relevance | 55% |
| Weakness (CWE) | |
| Source | NVD |
A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.9.3410 build 20260214 and later QuTS hero h5.2.9.3410 build 20260214 and later QuTS hero h5.3.4.3500 build 20260520 and later QuTS hero h6.0.0.3397 build 20260206 and later
Source: NIST NVD / MITRE CVE Database
| Vendor | Product | Fixed Version |
|---|---|---|
| Qnap | — | — |
Fixed Version: QTS 5.2.9.3410 build 20260214; QuTS hero h5.2.9.3410 build 20260214; QuTS hero h5.3.4.3500 build 20260520; QuTS hero h6.0.0.3397 build 20260206
QNAP resolved the NULL pointer dereference condition in QTS and QuTS hero by adding proper pointer validation in the affected network service code path, preventing remote attackers from triggering a denial-of-service crash via crafted network requests.
View Vendor Advisory →| CISA KEV | Not in KEV catalog |
|---|---|
| Public Exploit | Not confirmed |
| PoC Code | Not confirmed |
Deploy rules on perimeter firewall and IDS/IPS protecting OT network segments. Block inbound TCP connections to QNAP management ports (443, 8080, 8081) from all sources except explicitly whitelisted management hosts. Rate-limit or drop high-frequency connection attempts from a single source IP to QNAP device IPs. Place QNAP devices in a dedicated storage VLAN with strict ACLs permitting only authorized OT hosts to communicate with them.
No reliable network detection signature exists for this vulnerability class — apply the compensating controls above and the vendor patch. SAGE only publishes a network rule when a concrete on-the-wire signature can be grounded in the advisory.
Virtual patch generated by CITED Relevance SAGE. Validate in isolated environment before production deployment. Compensating control only - does not replace vendor patch.
ICS/OT Vulnerability Intelligence for Your Environment
BreachSpider monitors 353,228 CVEs across ICS/OT vendors. SAGE-enriched alerts with virtual patches, NERC-CIP mapping, and PSIRT contacts delivered to your SIEM in minutes.
Join free →