Command Injection Vulnerability in QNAP Operating Systems
CVE-2025-30264

7.7HIGH

Key Information:

Vendor: QNAP
Status: Qts; Quts Hero
Vendor: CVE Published:; 29 August 2025

What is CVE-2025-30264?

A command injection vulnerability has been identified in multiple versions of QNAP operating systems. This flaw allows remote attackers, who obtain a user account, to execute arbitrary commands on the affected systems. Users are encouraged to update to the latest versions of QTS and QuTS hero to mitigate the risk associated with this vulnerability.

Affected Version(s)

QTS 5.2.x < 5.2.5.3145 build 20250526

QuTS hero h5.2.x

References

https://www.qnap.com/en/security-advisory/qsa-25-21

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 29, 2025
Vulnerability Reserved
Mar 20, 2025

Credit

Searat and izut