CVE-2025-62847 — Argument Injection in Systems INC QTS

CWE-88 — Argument Injection4 documents4 sources

Severity

6.6MEDIUMNVD

EPSS

0.1%

top 76.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qnap Systems INC QTS Qnap Systems INC Quts Hero Qnap QTS +1 more

Timeline

PublishedDec 16

Description

An improper neutralization of argument delimiters in a command vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to alter execution logic. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages4 packages

▶CVEListV5qnap_systems_inc/quts_heroh5.2.x — h5.2.7.3297 build 20251024+1

▶NVDqnap/quts_hero20 versions+19

▶CVEListV5qnap_systems_inc/qts5.2.x — 5.2.7.3297 build 20251024

▶NVDqnap/qts17 versions+16

🔴Vulnerability Details

GHSA

GHSA-qv28-7w47-rrhx: An improper neutralization of argument delimiters in a command vulnerability has been reported to affect several QNAP operating system versions↗2025-12-16

▶

CVEList

QTS, QuTS hero↗2025-12-16

▶

🕵️Threat Intelligence

Bleepingcomputer

QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own↗2025-11-07

▶