Cyber Resilience

CVE-2025-9110

Low

Published: 02 January 2026

Published
02 January 2026
Modified
06 January 2026
KEV Added
Patch
CVSS Score v4 2.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 4.0th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9110 is a low-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Qnap Quts Hero. Its CVSS base score is 2.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2025-9110 is an exposure of sensitive system information to an unauthorized control sphere vulnerability (CWE-497) that affects several versions of QNAP's QTS and QuTS hero operating systems. Published on 2026-01-02, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting a high-impact confidentiality issue exploitable remotely with low complexity and no authentication or user interaction required.

Remote, unauthenticated attackers can exploit the vulnerability over the network to read sensitive application data, potentially exposing critical system information to unauthorized parties.

QNAP has fixed the vulnerability in QTS 5.2.8.3332 build 20251128 and later, QuTS hero h5.2.8.3321 build 20251117 and later, and QuTS hero h5.3.1.3250 build 20250912 and later. Additional details are available in the QNAP security advisory at https://www.qnap.com/en/security-advisory/qsa-25-51.

EU & UK References

Vulnerability details

An exposure of sensitive system information to an unauthorized control sphere vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to read application data. We have already fixed the vulnerability…

more

in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later QuTS hero h5.3.1.3250 build 20250912 and later

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1082 System Information Discovery Discovery
An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Why these techniques?

Direct remote unauthenticated info disclosure in public-facing QNAP NAS service enables exploitation of public-facing apps (T1190) and yields system information (T1082).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-62849Same product: Qnap Qts
CVE-2025-59385Same product: Qnap Qts
CVE-2024-13086Same product: Qnap Qts
CVE-2025-30264Same product: Qnap Qts
CVE-2025-66277Same product: Qnap Qts
CVE-2025-30273Same product: Qnap Qts
CVE-2024-38638Same product: Qnap Qts
CVE-2025-52872Same product: Qnap Qts
CVE-2025-52864Same product: Qnap Qts
CVE-2024-53699Same product: Qnap Qts

Affected Assets

qnap
qts
5.2.0.2737, 5.2.0.2744, 5.2.0.2782, 5.2.0.2802, 5.2.0.2823
qnap
quts hero
h5.2.0.2737, h5.2.0.2782, h5.2.0.2789, h5.2.0.2802, h5.2.0.2823

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by identifying, reporting, and timely remediating the specific software flaw exposing sensitive system information in vulnerable QNAP OS versions.

prevent

Protects sensitive information from unauthorized remote access via unauthenticated network methods, directly addressing the no-authentication remote exploitation vector.

prevent

Enforces logical access authorizations to prevent unauthorized reading of sensitive application data by remote attackers.

References