What is CVE-2025-53589?

CVE-2025-53589 is a publicly disclosed cybersecurity vulnerability with a LOW severity rating and CVSS score of 1.2.

How to search for CVE vulnerabilities?

You can search the 4nuxd CVE database using CVE IDs, vendor names, product names, or severity levels.

CVE-2025-53589

LOW1.2/ 10.0

Published: January 2, 2026 at 03:16 PM

Modified: January 5, 2026 at 08:20 PM

Source: security@qnapsecurity.com.tw

Vulnerability Description

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later

CVSS Metrics

Base Score

1.2

Severity

LOW

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses (CWE)

CWE-476

Source: security@qnapsecurity.com.tw

AI Security Analysis

01 // Technical Summary

QNAP NAS devices are vulnerable to a Denial-of-Service (DoS) attack due to a NULL pointer dereference. An attacker with administrator privileges can trigger this vulnerability, potentially rendering the device unusable. Immediate patching is crucial to mitigate this risk.

02 // Vulnerability Mechanism

Step 1: Account Compromise: The attacker must first gain administrator-level access to the QNAP device. This could be achieved through various means, such as brute-forcing weak passwords, exploiting other vulnerabilities, or social engineering. Step 2: Triggering the Vulnerability: Once administrator access is obtained, the attacker crafts a specific request or initiates a particular operation that triggers the NULL pointer dereference. The exact nature of this request is currently unknown. Step 3: Dereference Execution: The crafted request causes the vulnerable code to attempt to access memory through a NULL pointer. Step 4: Denial-of-Service: The attempt to dereference the NULL pointer results in a crash of the affected process or the entire system, leading to a DoS condition. The device becomes unresponsive and unavailable to legitimate users.

03 // Deep Technical Analysis

The vulnerability stems from a NULL pointer dereference within the QNAP operating system. The root cause likely lies in a function that handles network requests or system resource allocation. Specifically, a pointer, intended to reference a valid memory address, is not properly validated before being dereferenced. This can occur when processing malformed input, handling unexpected conditions, or during race conditions. When the code attempts to access the memory location pointed to by the NULL pointer, a crash occurs, leading to a DoS. The specific function and the exact conditions triggering the dereference are currently unknown based on the provided information, but the fix suggests a code path related to network services or system management was the source of the flaw.