CVE-2025-66278 – A path traversal vulnerability in QNAP File Sta... (How to Fix)

Q: What is the severity of CVE-2025-66278?

CVE-2025-66278 has a CVSS score of 6.5 (MEDIUM). A path traversal vulnerability in QNAP File Station 5 allows authenticated attackers to read arbitrary files on the system. This affects QNAP NAS devices running vulnerable versions of File Station 5. Attackers need valid user credentials to exploit this vulnerability.

📋 TL;DR

A path traversal vulnerability in QNAP File Station 5 allows authenticated attackers to read arbitrary files on the system. This affects QNAP NAS devices running vulnerable versions of File Station 5. Attackers need valid user credentials to exploit this vulnerability.

💻 Affected Systems

Products:

QNAP File Station 5

Versions: Versions prior to 5.5.6.5190

Operating Systems: QTS, QuTS hero

Default Config Vulnerable: ⚠️ Yes

Notes: Affects QNAP NAS devices with File Station 5 enabled. Requires attacker to have a valid user account.

📦 What is this software?

File Station by Qnap

View all CVEs affecting File Station →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through reading sensitive configuration files, password files, or SSH keys, potentially leading to lateral movement or ransomware deployment.

🟠

Likely Case

Unauthorized access to sensitive business documents, personal data, or system configuration information stored on the NAS.

🟢

If Mitigated

Limited data exposure restricted to files accessible by the compromised user account's permissions.

🌐 Internet-Facing: HIGH if File Station is exposed to the internet with user accounts accessible to attackers.

🏢 Internal Only: MEDIUM as it requires authenticated access but could be exploited by malicious insiders or compromised internal accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but path traversal vulnerabilities are typically easy to exploit once authentication is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: File Station 5 5.5.6.5190 and later

Vendor Advisory: https://www.qnap.com/en/security-advisory/qsa-26-03

Restart Required: Yes

Instructions:

1. Log into QNAP App Center. 2. Check for updates to File Station 5. 3. Update to version 5.5.6.5190 or later. 4. Restart the NAS device to ensure the patch is fully applied.

🔧 Temporary Workarounds

Disable File Station

all

Temporarily disable File Station 5 if immediate patching is not possible

Log into QTS/QuTS hero > Control Panel > Applications > File Station > Disable

Restrict User Access

all

Limit File Station access to only essential users and implement strict access controls

Log into QTS/QuTS hero > Control Panel > Privilege > Users > Modify user permissions

🧯 If You Can't Patch

Implement network segmentation to isolate QNAP devices from critical systems
Enable detailed logging and monitoring for File Station access patterns

🔍 How to Verify

Check if Vulnerable:

Check File Station version in QNAP App Center. If version is below 5.5.6.5190, the system is vulnerable.

Check Version:

Log into QTS/QuTS hero > App Center > Installed Apps > Check File Station version

Verify Fix Applied:

Verify File Station version shows 5.5.6.5190 or higher in App Center after update.

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns in File Station logs
Multiple failed path traversal attempts in web server logs
Access to system directories from File Station

Network Indicators:

Unusual HTTP requests with directory traversal patterns (../ sequences) to File Station endpoints

SIEM Query:

source="qnap_logs" AND ("File Station" AND ("..\/" OR "%2e%2e%2f" OR directory traversal))

📊 Metadata

CVE ID: CVE-2025-66278

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-22

EPSS Score: 0.05% exploit probability (16.2th percentile)

Published: February 11, 2026

Last Updated: February 12, 2026

🔗 References

https://www.qnap.com/en/security-advisory/qsa-26-03 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66278, you might also want to check these: