CVE-2025-62849

Опубликовано: 16 дек. 2025

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.

We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later

Ссылки

https://www.qnap.com/en/security-advisory/qsa-25-45
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:o:qnap:qts:5.2.0.2737:build_20240417:*:*:*:*:*:*

cpe:2.3:o:qnap:qts:5.2.0.2744:build_20240424:*:*:*:*:*:*

cpe:2.3:o:qnap:qts:5.2.0.2782:build_20240601:*:*:*:*:*:*

cpe:2.3:o:qnap:qts:5.2.0.2802:build_20240620:*:*:*:*:*:*

cpe:2.3:o:qnap:qts:5.2.0.2823:build_20240711:*:*:*:*:*:*

cpe:2.3:o:qnap:qts:5.2.0.2851:build_20240808:*:*:*:*:*:*

cpe:2.3:o:qnap:qts:5.2.0.2860:build_20240817:*:*:*:*:*:*

cpe:2.3:o:qnap:qts:5.2.1.2930:build_20241025:*:*:*:*:*:*

cpe:2.3:o:qnap:qts:5.2.2.2950:build_20241114:*:*:*:*:*:*

cpe:2.3:o:qnap:qts:5.2.3.3006:build_20250108:*:*:*:*:*:*

cpe:2.3:o:qnap:qts:5.2.4.3070:build_20250312:*:*:*:*:*:*

cpe:2.3:o:qnap:qts:5.2.4.3079:build_20250321:*:*:*:*:*:*

cpe:2.3:o:qnap:qts:5.2.4.3092:build_20250403:*:*:*:*:*:*

cpe:2.3:o:qnap:qts:5.2.5.3145:build_20250526:*:*:*:*:*:*

cpe:2.3:o:qnap:qts:5.2.6.3195:build_20250715:*:*:*:*:*:*

cpe:2.3:o:qnap:qts:5.2.6.3229:build_20250818:*:*:*:*:*:*

cpe:2.3:o:qnap:qts:5.2.7.3256:build_20250913:*:*:*:*:*:*

Конфигурация 2

Одно из

cpe:2.3:o:qnap:quts_hero:h5.2.0.2737:build_20240417:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.2.0.2782:build_20240601:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.2.0.2789:build_20240607:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.2.0.2802:build_20240620:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.2.0.2823:build_20240711:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.2.0.2851:build_20240808:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.2.0.2860:build_20240817:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.2.1.2929:build_20241025:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.2.1.2940:build_20241105:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.2.2.2952:build_20241116:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.2.3.3006:build_20250108:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.2.4.3070:build_20250312:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.2.4.3079:build_20250321:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.2.5.3138:build_20250519:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.2.6.3195:build_20250715:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.2.7.3256:build_20250913:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.3.0.3115:build_20250430:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.3.0.3145:build_20250530:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.3.0.3192:build_20250716:*:*:*:*:*:*

cpe:2.3:o:qnap:quts_hero:h5.3.1.3250:build_20250912:*:*:*:*:*:*

EPSS

Процентиль: 31%

0.00116

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-89

Связанные уязвимости

GHSA-4cj6-vc44-v9qw

CVSS3: 9.8

github

около 2 месяцев назад

An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later

BDU:2025-16028

CVSS3: 10

fstec

3 месяца назад

Уязвимость операционных систем QuTS hero и QTS сетевых устройств Qnap, связанная с использованием памяти после её освобождения, позволяющая нарушителю выполнить произвольный код и повысить свои привилегии