CVE-2025-52872

High

Published: 02 January 2026

Published

02 January 2026

Modified

05 January 2026

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

EPSS Score 0.0019 40.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

A buffer overflow vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to modify memory or crash processes. We have already fixed the vulnerability…

in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.0.3192 build 20250716 and later

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the buffer overflow by requiring timely application of QNAP patches to fixed versions like QTS 5.2.7.3256.

SI-16 Memory Protection good match

prevent

Implements memory protections such as address space randomization and stack canaries to block exploitation of buffer overflows for memory modification or crashes.

SI-10 Information Input Validation partial match

prevent

Enforces input validation to restrict oversized or malformed data that could trigger the buffer overflow in QNAP OS processes.

Security SummaryAI

CVE-2025-52872 is a buffer overflow vulnerability (CWE-120) affecting several versions of QNAP's QTS and QuTS hero operating systems. Published on 2026-01-02, it carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H), indicating high severity due to its potential for significant integrity and availability impacts.

A remote attacker who has gained a user account on an affected system can exploit the vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables the attacker to modify memory or crash processes, potentially disrupting system operations or enabling further compromise.

QNAP has fixed the vulnerability in QTS 5.2.7.3256 build 20250913 and later, QuTS hero h5.2.7.3256 build 20250913 and later, and QuTS hero h5.3.0.3192 build 20250716 and later. Administrators should update to these versions or newer to mitigate the issue, with full details available in QNAP's security advisory at https://www.qnap.com/en/security-advisory/qsa-25-50.

Details

CWE(s): CWE-120

Affected Products

qnap

quts hero

h5.2.0.2737, h5.2.0.2782, h5.2.0.2789, h5.2.0.2802, h5.2.0.2823

qnap

qts

5.2.0.2737, 5.2.0.2744, 5.2.0.2782, 5.2.0.2802, 5.2.0.2823

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Buffer overflow enables remote exploitation of services (T1210), privilege escalation via memory corruption (T1068), and endpoint DoS through process crashes (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.qnap.com/en/security-advisory/qsa-25-50
Vendor Advisory · security@qnapsecurity.com.tw