CVE-2025-59385
Published: 16 December 2025
Summary
CVE-2025-59385 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Qnap Quts Hero. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 39.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-8 (Identification and Authentication (Non-organizational Users)).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, reporting, and correction of the specific authentication bypass flaw in QNAP operating systems.
Enforces approved authorizations for access to protected resources, preventing spoofed authentication from granting unauthorized access.
Ensures robust identification and authentication for non-organizational users and processes, countering remote spoofing attempts to bypass authentication.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-59385 enables remote unauthenticated exploitation of a public-facing application (QNAP NAS OS) via authentication spoofing bypass, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
An authentication bypass by spoofing vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to access resources which are not otherwise accessible without proper authentication. We have already fixed the…
more
vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later
Deeper analysisAI
CVE-2025-59385 is an authentication bypass by spoofing vulnerability (CWE-290) affecting several versions of QNAP's QTS and QuTS hero operating systems. Published on 2025-12-16, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its potential for severe impact without requiring user privileges or interaction.
Remote, unauthenticated attackers can exploit the vulnerability over the network by spoofing authentication mechanisms. This grants access to resources that are normally protected by proper authentication, enabling high levels of confidentiality, integrity, and availability compromise on affected systems.
QNAP has patched the vulnerability in QTS 5.2.7.3297 build 20251024 and later, QuTS hero h5.2.7.3297 build 20251024 and later, and QuTS hero h5.3.1.3292 build 20251024 and later. Additional mitigation details are available in the vendor's security advisory at https://www.qnap.com/en/security-advisory/qsa-25-45.
Details
- CWE(s)