CVE-2025-9110 in QTS
Summary
by MITRE • 01/02/2026
An exposure of sensitive system information to an unauthorized control sphere vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to read application data.
We have already fixed the vulnerability in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later QuTS hero h5.3.1.3250 build 20250912 and later
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/06/2026
This vulnerability represents a critical information disclosure flaw that allows remote attackers to access sensitive system data through unauthorized control channels. The issue affects multiple QNAP operating system variants including QTS and QuTS hero platforms, creating potential security risks for network-attached storage devices. The vulnerability stems from improper access controls that permit unauthorized entities to read application data, potentially exposing confidential information stored on the affected systems.
The technical implementation of this flaw involves insufficient validation of user permissions and access controls within the QNAP operating system framework. Attackers can exploit this weakness to gain unauthorized access to application data without proper authentication or authorization, effectively bypassing the intended security boundaries of the system. This type of vulnerability aligns with CWE-200, which addresses information exposure through improper access control mechanisms. The flaw demonstrates a failure in implementing proper privilege separation and access validation protocols that should prevent unauthorized data access.
The operational impact of this vulnerability extends beyond simple data exposure, as it creates potential pathways for further exploitation and lateral movement within compromised networks. Remote attackers who successfully exploit this vulnerability can access application data that may include user credentials, system configurations, and other sensitive information. This exposure creates opportunities for credential theft, system compromise, and potentially more severe attacks depending on the nature of the accessed data. The vulnerability affects multiple versions of QNAP operating systems, indicating a widespread issue that requires immediate attention from system administrators and security teams.
Organizations running affected QNAP systems should prioritize upgrading to the patched versions mentioned in the advisory. The recommended versions include QTS 5.2.8.3332 build 20251128 and later, along with QuTS hero versions h5.2.8.3321 build 20251117 and later, and h5.3.1.3250 build 20250912 and later. These patches address the root cause of the information disclosure vulnerability by implementing proper access control mechanisms and validating user permissions before granting data access. Security teams should also consider implementing network monitoring to detect potential exploitation attempts and conduct comprehensive vulnerability assessments of their QNAP deployments. The remediation process should include verification that all affected systems have been properly updated and that no unauthorized access has occurred during the vulnerability window.