CVE-2025-59385

CRITICAL

Qnap Qts - Authentication Bypass by Spoofing

Title source: rule

Description

An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentication. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later

References (1)

[Vendor Advisory] https://www.qnap.com/en/security-advisory/qsa-25-45

Scores

CVSS v3 9.8

EPSS 0.0066

EPSS Percentile 71.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-290

Status published

Products (37)

qnap/qts 5.2.0.2737 build_20240417

qnap/qts 5.2.0.2744 build_20240424

qnap/qts 5.2.0.2782 build_20240601

qnap/qts 5.2.0.2802 build_20240620

qnap/qts 5.2.0.2823 build_20240711

qnap/qts 5.2.0.2851 build_20240808

qnap/qts 5.2.0.2860 build_20240817

qnap/qts 5.2.1.2930 build_20241025

qnap/qts 5.2.2.2950 build_20241114

qnap/qts 5.2.3.3006 build_20250108

... and 27 more

Published Dec 16, 2025

Tracked Since Feb 18, 2026