PT-2026-1082 · Qnap · Quts Hero+1
Coral
·
Published
2026-01-02
·
Updated
2026-01-02
·
CVE-2025-53591
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
QNAP versions prior to QTS 5.2.7.3256 build 20250913
QNAP versions prior to QuTS hero h5.2.7.3256 build 20250913
QNAP versions prior to QuTS hero h5.3.1.3250 build 20250912
Description
A use of externally-controlled format string vulnerability exists in QNAP operating systems. If an attacker obtains an administrator account, they may be able to obtain secret data or modify memory. A format string vulnerability occurs when user-supplied data is used as the format string in a format function, potentially allowing an attacker to read from or write to arbitrary memory locations.
Recommendations
Update QTS to version 5.2.7.3256 build 20250913 or later.
Update QuTS hero to version h5.2.7.3256 build 20250913 or later.
Update QuTS hero to version h5.3.1.3250 build 20250912 or later.
Fix
RCE
Use of Externally-Controlled Format String
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Qts
Quts Hero