QTS/QuTS Hero cmd injection CVE202566273 before 5.2.9.3410
CVE-2025-66273 Published on June 10, 2026
QTS, QuTS hero
A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands.
We have already fixed the vulnerability in the following versions:
QTS 5.2.9.3410 build 20260214 and later
QuTS hero h5.2.9.3410 build 20260214 and later
QuTS hero h5.3.4.3500 build 20260520 and later
QuTS hero h6.0.0.3397 build 20260206 and later
Weakness Type
What is a Shell injection Vulnerability?
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CVE-2025-66273 has been classified to as a Shell injection vulnerability or weakness.
Products Associated with CVE-2025-66273
stack.watch emails you whenever new vulnerabilities are published in QNAP Qts or QNAP Quts Hero. Just hit a watch button to start following.
Affected Versions
QNAP Systems Inc. QTS:- Version 5.2.0 and below 5.2.9.3410 build 20260214 is affected.
- Version h5.2.0 and below h5.2.9.3410 build 20260214 is affected.
- Version h5.3.0 and below h5.3.4.3500 build 20260520 is affected.
- Version ? and below h6.0.0.3397 build 20260206 is affected.