CVE-2025-62849 MEDIUM

CVE-2025-62849: QTS, QuTS hero

Vendor Qnap Systems Inc.

Product QTS

Weakness CWE-89 · SQLi

Published December 16, 2025

Last update February 26, 2026

View on NVD All CVEs

CVSS base score

5.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

What the vulnerability does

01Description

An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later

Key dates

02Disclosure timeline

December 16, 2025 CVE published

February 26, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-62849

Related vulnerabilities

Identifiers

CVE CVE-2025-62849

CWE CWE-89

CVSS 5.2 / MEDIUM

Affected versions

Vendor Qnap Systems Inc.

Product QTS

Affected ≥ 5.2.x and < 5.2.7.3297 build 20251024

Vendor Qnap Systems Inc.

Product QuTS hero

Affected ≥ h5.2.x and < h5.2.7.3297 build 20251024

Vendor Qnap Systems Inc.

Product QuTS hero

Affected ≥ h5.3.x and < h5.3.1.3292 build 20251024

CVE-2025-62849: QTS, QuTS hero

01Description

02Disclosure timeline

03References

04Related CVE