CVE-2025-9110 is a vulnerability identified in QNAP Systems Inc.'s QTS operating system, specifically affecting version 5.2.x and related QuTS hero versions. The vulnerability is classified under CWE-497, which involves the exposure of sensitive system information to unauthorized actors. This flaw allows remote attackers to access application data without requiring any authentication, user interaction, or privileges, making it remotely exploitable over the network. The vulnerability does not impact system integrity or availability but compromises confidentiality by enabling unauthorized reading of application data. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U) indicates network attack vector, low complexity, no authentication or user interaction, and low confidentiality impact. The vendor has addressed this issue in QTS 5.2.8.3332 build 20251128 and later, as well as in QuTS hero h5.2.8.3321 build 20251117 and h5.3.1.3250 build 20250912 and later. No public exploits have been reported, and the vulnerability was reserved in August 2025 and published in January 2026. The exposure of sensitive information could aid attackers in further reconnaissance or targeted attacks if left unpatched.

For European organizations, the primary impact of CVE-2025-9110 is the potential unauthorized disclosure of sensitive application data stored or processed on vulnerable QNAP NAS devices. This could lead to confidentiality breaches, especially if the exposed data includes business-critical or personal information protected under regulations like GDPR. While the vulnerability does not allow system control or data modification, the information leakage could facilitate subsequent attacks such as phishing, social engineering, or targeted exploitation of other vulnerabilities. Organizations relying heavily on QNAP NAS for data storage, backup, or file sharing may face increased risk exposure. Given the low CVSS score and lack of known exploits, the immediate risk is limited, but the widespread use of QNAP devices in European SMEs and enterprises means the attack surface is significant. Additionally, sectors with stringent data protection requirements, such as finance, healthcare, and government, could be more sensitive to such information disclosures.

To mitigate CVE-2025-9110, European organizations should promptly update all affected QNAP QTS and QuTS hero devices to the patched versions: QTS 5.2.8.3332 build 20251128 or later, QuTS hero h5.2.8.3321 build 20251117 or later, and QuTS hero h5.3.1.3250 build 20250912 or later. Network segmentation should be employed to isolate NAS devices from untrusted networks, reducing exposure to remote attacks. Implement strict access controls and monitor network traffic for unusual activity targeting NAS devices. Disable unnecessary services and interfaces on QNAP devices to minimize attack vectors. Regularly audit device configurations and logs for signs of unauthorized access or data exfiltration attempts. Additionally, organizations should maintain an inventory of QNAP devices to ensure all are identified and updated. Employing intrusion detection/prevention systems (IDS/IPS) with signatures for QNAP-related exploits can provide early warnings. Finally, ensure backups are securely maintained to prevent data loss in case of exploitation.