CVE-2025-62849

Critical

Published: 16 December 2025

Published

16 December 2025

Modified

17 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0013 32.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297…

build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents SQL injection by validating and sanitizing all untrusted inputs before they are used in SQL queries.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely identification, testing, and application of patches to remediate the specific SQL injection flaw in QNAP OS versions.

RA-5 Vulnerability Monitoring and Scanning partial match

detect

RA-5 enables vulnerability scanning to detect the SQL injection vulnerability in affected QNAP systems for prompt remediation.

Security SummaryAI

CVE-2025-62849 is an SQL injection vulnerability (CWE-89) affecting several versions of QNAP operating systems, including QTS and QuTS hero. The flaw allows remote attackers to inject malicious SQL queries, leading to the execution of unauthorized code or commands. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.

Remote, unauthenticated attackers can exploit this vulnerability over the network with no user interaction required. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially enabling full system compromise through arbitrary code execution.

QNAP has addressed the issue in the following releases: QTS 5.2.7.3297 build 20251024 and later, QuTS hero h5.2.7.3297 build 20251024 and later, and QuTS hero h5.3.1.3292 build 20251024 and later. Security practitioners should apply these updates promptly and refer to the official advisory at https://www.qnap.com/en/security-advisory/qsa-25-45 for full details on affected versions and mitigation steps.

Details

CWE(s): CWE-89

Affected Products

qnap

qts

5.2.0.2737, 5.2.0.2744, 5.2.0.2782, 5.2.0.2802, 5.2.0.2823

qnap

quts hero

h5.2.0.2737, h5.2.0.2782, h5.2.0.2789, h5.2.0.2802, h5.2.0.2823

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL injection vulnerability in network-accessible QNAP OS (QTS/QuTS hero) enables remote unauthenticated attackers to execute arbitrary code/commands, directly facilitating T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.qnap.com/en/security-advisory/qsa-25-45
Vendor Advisory · security@qnapsecurity.com.tw