QNAP QTS/QuTS hero Security Bulletin: Path Traversal, Command Injection & DoS Fixes (CVE-2025-47211 et al.)

Key Information Vulnerability ID: QSA-25-36 Release Date: October 4, 2025 CVE Identifiers: CVE-2025-47211, CVE-2025-47212, CVE-2025-47213, CVE-2025-47214, CVE-2025-48726, CVE-2025-48727, CVE-2025-48728, CVE-2025-48729, CVE-2025-48730, CVE-2025-52424, CVE-2025-52427, CVE-2025-52428, CVE-2025-52429, CVE-2025-52433, CVE-2025-52853, CVE-2025-52854, CVE-2025-52855, CVE-2025-52856, CVE-2025-52857, CVE-2025-52858, CVE-2025-52859, CVE-2025-52860, CVE-2025-52861, CVE-2025-52862, CVE-2025-52866, CVE-2025-53406, CVE-2025-53407, CVE-2025-52432 Affected Products: QTS 5.2.x, QuTS hero h5.2.x Severity: Medium Status: Resolved Vulnerability Summary Path Traversal Vulnerability (CVE-2025-47211): Remote attackers with administrator account access can exploit this vulnerability to read unintended files or system data. Command Injection Vulnerability (CVE-2025-47212): Remote attackers with administrator account access can exploit this vulnerability to execute arbitrary commands. Denial of Service (DoS) Attack Vulnerability (CVE-2025-48730): Remote attackers with administrator account access can exploit this vulnerability to launch a denial-of-service (DoS) attack. External Control Format String Vulnerability (CVE-2025-53407): Remote attackers with administrator account access can exploit this vulnerability to obtain secret data or modify memory. Fixed Versions Recommended Actions To ensure device security, it is recommended to regularly update the system to the latest version to benefit from vulnerability fixes. You can check the latest available updates for your NAS model via the product support status.

Goal Reached Thanks to every supporter — we hit 100%!

QNAP QTS/QuTS hero Security Bulletin: Path Traversal, Command Injection & DoS Fixes (CVE-2025-47211 et al.)