CVE-2025-62849 — SQL Injection in Systems INC QTS

CWE-89 — SQL Injection4 documents4 sources

Severity

5.2MEDIUMNVD

EPSS

0.1%

top 71.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qnap Systems INC QTS Qnap Systems INC Quts Hero Qnap QTS +1 more

Timeline

PublishedDec 16

Description

An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages4 packages

▶CVEListV5qnap_systems_inc/quts_heroh5.2.x — h5.2.7.3297 build 20251024+1

▶NVDqnap/quts_hero20 versions+19

▶CVEListV5qnap_systems_inc/qts5.2.x — 5.2.7.3297 build 20251024

▶NVDqnap/qts17 versions+16

🔴Vulnerability Details

GHSA

GHSA-4cj6-vc44-v9qw: An SQL injection vulnerability has been reported to affect several QNAP operating system versions↗2025-12-16

▶

CVEList

QTS, QuTS hero↗2025-12-16

▶

🕵️Threat Intelligence

Bleepingcomputer

QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own↗2025-11-07

▶