CVE-2025-52863

High

Published: 02 January 2026

Published

02 January 2026

Modified

05 January 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0019 40.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability…

in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.0.3192 build 20250716 and later

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the buffer overflow vulnerability by requiring timely patching to the fixed QNAP OS versions, eliminating the root cause.

SI-16 Memory Protection good match

prevent

Provides memory protections such as ASLR, stack canaries, and DEP to prevent successful buffer overflow exploitation leading to memory modification or process crashes.

SI-10 Information Input Validation good match

prevent

Enforces input validation and bounds checking in system services to block the malformed inputs that trigger the buffer overflow.

Security SummaryAI

CVE-2025-52863 is a buffer overflow vulnerability (CWE-120) affecting several versions of QNAP operating systems, including QTS and QuTS hero. Published on 2026-01-02, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to its potential for integrity and availability impacts without requiring user interaction.

A remote attacker who has gained a user account on an affected system can exploit the vulnerability over the network with low complexity. Successful exploitation allows the attacker to modify memory or crash processes, enabling denial-of-service conditions or unauthorized data manipulation.

QNAP has fixed the vulnerability in QTS 5.2.7.3256 build 20250913 and later, QuTS hero h5.2.7.3256 build 20250913 and later, and QuTS hero h5.3.0.3192 build 20250716 and later. Additional details are available in the vendor's security advisory at https://www.qnap.com/en/security-advisory/qsa-25-50.

Details

CWE(s): CWE-120

Affected Products

qnap

quts hero

h5.2.0.2737, h5.2.0.2782, h5.2.0.2789, h5.2.0.2802, h5.2.0.2823

qnap

qts

5.2.0.2737, 5.2.0.2744, 5.2.0.2782, 5.2.0.2802, 5.2.0.2823

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

T1565.003 Runtime Data Manipulation Impact

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Remote buffer overflow with low privileges enables service exploitation (T1210), process crashes for endpoint DoS via application exploitation (T1499.004), and memory modification for runtime data manipulation (T1565.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.qnap.com/en/security-advisory/qsa-25-50
Vendor Advisory · security@qnapsecurity.com.tw