VYPR
← All advisories
Critical severityNVD Advisory· Published Jun 10, 2026

CVE-2025-66276

CVE-2025-66276

Description

A vulnerability in legacy QTS versions with NFS enabled allows attackers to gain access due to misconfigured NFS settings.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A vulnerability in legacy QTS versions with NFS enabled allows attackers to gain access due to misconfigured NFS settings.

Vulnerability

A vulnerability has been reported to affect legacy QTS versions 4.3.x when the NFS (Network File System) service is enabled. The vulnerability stems from misconfigurations in NFS settings, which, if exploited, could allow attackers to perform actions and gain access [1]. QuTS hero is not affected.

Exploitation

An attacker can exploit this vulnerability by leveraging misconfigured NFS settings. The available references do not detail the specific steps or prerequisites required for exploitation, such as network position or authentication requirements [1].

Impact

Successful exploitation of this vulnerability allows attackers to perform actions and potentially gain access to the system. The exact scope and privilege level of the compromise are not detailed in the available references [1].

Mitigation

The vulnerability has been fixed in QTS 5.2.7.3256 build 20250913 and later, and QTS 5.2.x and later for affected QTS 4.3.x products [1]. Users are recommended to update their systems to the latest version. Additionally, strengthening NFS access control for shared folders by reviewing and adjusting NFS permission settings is advised [1].

References
  1. Vulnerability in legacy QTS with NFS service enabled - Security Advisory

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1
  • Qnap/Qtsllm-fuzzy
    Range: >=5.2.7.3256 build 20250913

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

1