CVE-2025-59385

Critical

Published: 16 December 2025

Published

16 December 2025

Modified

17 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0066 71.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentication. We have already fixed the…

vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring timely identification, reporting, and correction of the specific authentication bypass flaw in QNAP operating systems.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to protected resources, preventing spoofed authentication from granting unauthorized access.

IA-8 Identification and Authentication (Non-organizational Users) good match

prevent

Ensures robust identification and authentication for non-organizational users and processes, countering remote spoofing attempts to bypass authentication.

Security SummaryAI

CVE-2025-59385 is an authentication bypass by spoofing vulnerability (CWE-290) affecting several versions of QNAP's QTS and QuTS hero operating systems. Published on 2025-12-16, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact without requiring user privileges or interaction.

Remote, unauthenticated attackers can exploit the vulnerability over the network by spoofing authentication mechanisms. This grants access to resources that are normally protected by proper authentication, enabling high levels of confidentiality, integrity, and availability compromise on affected systems.

QNAP has patched the vulnerability in QTS 5.2.7.3297 build 20251024 and later, QuTS hero h5.2.7.3297 build 20251024 and later, and QuTS hero h5.3.1.3292 build 20251024 and later. Additional mitigation details are available in the vendor's security advisory at https://www.qnap.com/en/security-advisory/qsa-25-45.

Details

CWE(s): CWE-290

Affected Products

qnap

qts

5.2.0.2737, 5.2.0.2744, 5.2.0.2782, 5.2.0.2802, 5.2.0.2823

qnap

quts hero

h5.2.0.2737, h5.2.0.2782, h5.2.0.2789, h5.2.0.2802, h5.2.0.2823

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CVE-2025-59385 enables remote unauthenticated exploitation of a public-facing application (QNAP NAS OS) via authentication spoofing bypass, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.qnap.com/en/security-advisory/qsa-25-45
Vendor Advisory · security@qnapsecurity.com.tw