CVE-2025-9110
Published: 02 January 2026
Summary
CVE-2025-9110 is a low-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Qnap Quts Hero. Its CVSS base score is 2.7 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 4.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-14 (Public Access Protections).
Deeper analysis
CVE-2025-9110 is an exposure of sensitive system information to an unauthorized control sphere vulnerability (CWE-497) that affects several versions of QNAP's QTS and QuTS hero operating systems. Published on 2026-01-02, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting a high-impact confidentiality issue exploitable remotely with low complexity and no authentication or user interaction required.
Remote, unauthenticated attackers can exploit the vulnerability over the network to read sensitive application data, potentially exposing critical system information to unauthorized parties.
QNAP has fixed the vulnerability in QTS 5.2.8.3332 build 20251128 and later, QuTS hero h5.2.8.3321 build 20251117 and later, and QuTS hero h5.3.1.3250 build 20250912 and later. Additional details are available in the QNAP security advisory at https://www.qnap.com/en/security-advisory/qsa-25-51.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-0657
Vulnerability details
An exposure of sensitive system information to an unauthorized control sphere vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to read application data. We have already fixed the vulnerability…
more
in the following versions: QTS 5.2.8.3332 build 20251128 and later QuTS hero h5.2.8.3321 build 20251117 and later QuTS hero h5.3.1.3250 build 20250912 and later
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote unauthenticated info disclosure in public-facing QNAP NAS service enables exploitation of public-facing apps (T1190) and yields system information (T1082).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by identifying, reporting, and timely remediating the specific software flaw exposing sensitive system information in vulnerable QNAP OS versions.
Protects sensitive information from unauthorized remote access via unauthenticated network methods, directly addressing the no-authentication remote exploitation vector.
Enforces logical access authorizations to prevent unauthorized reading of sensitive application data by remote attackers.