CVE-2025-62849

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions QNAP QTS versions prior to 5.2.7.3297 build 20251024 QNAP QuTS hero versions prior to h5.2.7.3297 build 20251024 QNAP QuTS hero versions prior to h5.3.1.3292 build 20251024

Description An SQL injection flaw exists in QNAP NAS devices running QTS and QuTS hero operating systems. Successful exploitation of this issue could allow a remote attacker to execute unauthorized code and potentially compromise the device. The vulnerability allows attackers to execute unauthorized code or commands.

Recommendations Update QTS to version 5.2.7.3297 build 20251024 or later. Update QuTS hero to version h5.2.7.3297 build 20251024 or later. Update QuTS hero to version h5.3.1.3292 build 20251024 or later.

Fix

RCE

Use After Free

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-416CWE-89

Related Identifiers

BDU:2025-16028

CVE-2025-62849

ZDI-26-200

Affected Products

Qts

Quts Hero

CVE-2025-62849

Weakness Enumeration

Related Identifiers

Affected Products

References · 13