CVE-2025-66278 is a path traversal vulnerability classified under CWE-22 that affects QNAP Systems Inc.'s File Station 5 software, specifically versions 5.5.x. File Station 5 is a file management application commonly used on QNAP NAS devices to facilitate file sharing and management. The vulnerability allows an attacker who has already obtained a valid user account on the system to exploit the path traversal flaw to access files outside the intended directory scope. This means the attacker can read arbitrary files on the NAS device, potentially exposing sensitive system files or user data. The vulnerability does not require any user interaction and can be exploited remotely over the network. The CVSS 4.0 base score is 1.3, indicating low severity due to the requirement for authenticated access and limited impact on confidentiality (partial), with no impact on integrity or availability. QNAP has released a fix in File Station 5 version 5.5.6.5190 and later, addressing the path traversal issue. No public exploits or active exploitation campaigns have been reported to date. The vulnerability highlights the importance of controlling user account access and applying timely patches to NAS devices, especially in environments where sensitive data is stored.

For European organizations, the impact of CVE-2025-66278 is primarily related to unauthorized disclosure of sensitive files stored on QNAP NAS devices running vulnerable versions of File Station 5. If an attacker gains user credentials, they could leverage this vulnerability to access confidential business documents, configuration files, or system data, potentially leading to information leakage or aiding further attacks. While the vulnerability does not allow modification or deletion of files, the exposure of sensitive data could have regulatory and reputational consequences, especially under GDPR. Organizations using QNAP NAS for critical file storage or sharing should consider this a risk vector. However, the low CVSS score and requirement for authenticated access limit the scope and severity of impact. The absence of known exploits in the wild reduces immediate risk but does not eliminate the need for vigilance and patching.

1. Immediately upgrade all QNAP NAS devices running File Station 5 to version 5.5.6.5190 or later to apply the official patch. 2. Enforce strong authentication controls, including complex passwords and multi-factor authentication (MFA), to reduce the risk of credential compromise. 3. Regularly audit user accounts and permissions on NAS devices to ensure that only authorized personnel have access. 4. Monitor NAS device logs for unusual access patterns or attempts to access files outside normal directories. 5. Segment NAS devices within the network to limit exposure and restrict access to trusted users and systems only. 6. Educate users about phishing and credential theft risks to prevent unauthorized account access. 7. Implement network-level protections such as VPNs or IP whitelisting to restrict remote access to NAS management interfaces. 8. Maintain up-to-date backups of critical data to mitigate potential data loss from other attack vectors.