Use of Externally-Controlled Format String

CVE-2025-53407

Medium

5.1/10

Summary

A use of externally-controlled format string vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to obtain secret data or modify memory. We have already fixed the vulnerability in the following versions: QTS 5.2.6.3195 build 20250715 and later QuTS hero h5.2.6.3195 build 20250715 and later

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: HIGH
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-134 - Use of Externally-Controlled Format String

The software uses a function that accepts a format string as an argument, but the format string originates from an external source.

References

Advisory Timeline

Published Oct 03, 2025

Use of Externally-Controlled Format String

CVE-2025-53407

Summary

CWE-134 - Use of Externally-Controlled Format String

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS