CVE-2025-48725

High

Published: 11 February 2026

Published

11 February 2026

Modified

11 February 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0014 34.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability…

in the following version: QuTS hero h5.3.2.3354 build 20251225 and later

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mandates timely remediation of flaws like this buffer overflow through vendor patches, eliminating the vulnerability as provided in QNAP's fix for QuTS hero h5.3.2.3354 and later.

SI-16 Memory Protection good match

prevent

Implements memory protection mechanisms such as non-executable memory and address randomization to prevent unauthorized memory modification or code execution from buffer overflow exploits.

SI-10 Information Input Validation good match

prevent

Requires validation of inputs to system components, directly countering buffer overflows (CWE-120/121) triggered by malformed data from remote authenticated attackers.

Security SummaryAI

CVE-2025-48725 is a buffer overflow vulnerability (CWE-120, CWE-121) affecting several versions of QNAP operating systems, including QuTS hero. Published on 2026-02-11, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to its potential for integrity and availability impacts.

A remote attacker who has obtained a user account (PR:L) can exploit the vulnerability over the network (AV:N) with low attack complexity (AC:L) and no user interaction required. Successful exploitation allows the attacker to modify memory (I:H) or crash processes (A:H), potentially leading to denial of service or further compromise.

QNAP has fixed the vulnerability in QuTS hero h5.3.2.3354 build 20251225 and later versions. Additional details on affected versions and mitigation steps are available in the vendor's security advisory at https://www.qnap.com/en/security-advisory/qsa-26-08.

Details

CWE(s): CWE-120 CWE-121

Affected Products

qnap

qts

5.2.0.2737, 5.2.0.2744, 5.2.0.2782, 5.2.0.2802, 5.2.0.2823

qnap

quts hero

h5.2.0.2737, h5.2.0.2782, h5.2.0.2789, h5.2.0.2802, h5.2.0.2823

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Buffer overflow vulnerability exploitable remotely with low privileges enables memory modification potentially for privilege escalation (T1068) or remote service exploitation (T1210), and process crashes facilitate endpoint DoS via application/system exploitation (T1499.004).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

References

https://www.qnap.com/en/security-advisory/qsa-26-08
Vendor Advisory · security@qnapsecurity.com.tw