CVE-2025-52864

High

Published: 02 January 2026

Published

02 January 2026

Modified

05 January 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0019 40.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability…

in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.0.3192 build 20250716 and later

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the buffer overflow vulnerability by requiring timely application of vendor patches to affected QNAP OS versions.

SI-16 Memory Protection good match

prevent

Provides memory protections like address space layout randomization and data execution prevention to block exploitation of buffer overflows causing memory modification or process crashes.

SI-10 Information Input Validation good match

prevent

Enforces input validation and bounds checking to prevent buffer overflows from attacker-supplied data in remote user requests.

Security SummaryAI

CVE-2025-52864 is a buffer overflow vulnerability (CWE-120) affecting several versions of QNAP's QTS and QuTS hero operating systems. Published on 2026-01-02, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to its potential for significant integrity and availability impacts without requiring user interaction.

A remote attacker who has gained a user account on an affected system can exploit the vulnerability over the network with low complexity. Successful exploitation allows the attacker to modify memory or crash processes, enabling denial-of-service conditions or unauthorized data manipulation.

QNAP has fixed the vulnerability in QTS 5.2.7.3256 build 20250913 and later, QuTS hero h5.2.7.3256 build 20250913 and later, and QuTS hero h5.3.0.3192 build 20250716 and later. Additional details are available in the vendor's security advisory at https://www.qnap.com/en/security-advisory/qsa-25-50.

Details

CWE(s): CWE-120

Affected Products

qnap

quts hero

h5.2.0.2737, h5.2.0.2782, h5.2.0.2789, h5.2.0.2802, h5.2.0.2823

qnap

qts

5.2.0.2737, 5.2.0.2744, 5.2.0.2782, 5.2.0.2802, 5.2.0.2823

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

T1565.003 Runtime Data Manipulation Impact

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

Buffer overflow enables remote exploitation of a service (T1210) to crash processes for endpoint DoS via application/system exploitation (T1499.004) or modify memory for runtime data manipulation (T1565.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.qnap.com/en/security-advisory/qsa-25-50
Vendor Advisory · security@qnapsecurity.com.tw