CVE-2025-30264
Published: 29 August 2025
Summary
CVE-2025-30264 is a high-severity Command Injection (CWE-77) vulnerability in Qnap Qts. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates CVE-2025-30264 by requiring timely application of vendor patches to the fixed QNAP QTS and QuTS hero versions.
Prevents command injection exploitation in QNAP OS by enforcing validation and sanitization of all user inputs to block arbitrary command execution.
Reduces impact of arbitrary command execution by authenticated users by restricting accounts to least privileges necessary on QNAP systems.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authenticated command injection enables remote arbitrary Unix command execution on network-accessible QNAP device.
NVD Description
A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the…
more
following versions: QTS 5.2.5.3145 build 20250526 and later QuTS hero h5.2.5.3138 build 20250519 and later
Deeper analysisAI
CVE-2025-30264 is a command injection vulnerability (CWE-77, CWE-78) affecting several versions of QNAP's QTS and QuTS hero operating systems. It allows arbitrary command execution and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
A remote attacker who has already obtained a valid user account on the targeted QNAP device can exploit this vulnerability to execute arbitrary commands. The low attack complexity and privileges required (low) enable exploitation over the network without user interaction, potentially leading to full system compromise.
QNAP's security advisory (QSA-25-21) states that the vulnerability has been fixed in QTS 5.2.5.3145 build 20250526 and later, as well as QuTS hero h5.2.5.3138 build 20250519 and later. Security practitioners should prioritize updating affected systems to these or newer versions to mitigate the risk.
Details
- CWE(s)