CVE-2025-62847

An improper neutralization of argument delimiters in a command vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to alter execution logic.

We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later

Published: Dec 16, 2025
Updated: Dec 18, 2025
CVE: CVE-2025-62847
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWEs:

CWE-88

OWASP TOP 10:

A1 - Injection

Affected Software
References

Software	From	Fixed in
qnap / qts	5.2.0.2737-build_20240417	5.2.0.2737-build_20240417.x
qnap / qts	5.2.0.2744-build_20240424	5.2.0.2744-build_20240424.x
qnap / qts	5.2.0.2782-build_20240601	5.2.0.2782-build_20240601.x
qnap / qts	5.2.0.2802-build_20240620	5.2.0.2802-build_20240620.x
qnap / qts	5.2.0.2823-build_20240711	5.2.0.2823-build_20240711.x
qnap / qts	5.2.0.2851-build_20240808	5.2.0.2851-build_20240808.x
qnap / qts	5.2.0.2860-build_20240817	5.2.0.2860-build_20240817.x
qnap / qts	5.2.1.2930-build_20241025	5.2.1.2930-build_20241025.x
qnap / qts	5.2.2.2950-build_20241114	5.2.2.2950-build_20241114.x
qnap / qts	5.2.3.3006-build_20250108	5.2.3.3006-build_20250108.x
qnap / qts	5.2.4.3070-build_20250312	5.2.4.3070-build_20250312.x
qnap / qts	5.2.4.3079-build_20250321	5.2.4.3079-build_20250321.x
qnap / qts	5.2.4.3092-build_20250403	5.2.4.3092-build_20250403.x
qnap / qts	5.2.5.3145-build_20250526	5.2.5.3145-build_20250526.x
qnap / qts	5.2.6.3195-build_20250715	5.2.6.3195-build_20250715.x
qnap / qts	5.2.6.3229-build_20250818	5.2.6.3229-build_20250818.x
qnap / qts	5.2.7.3256-build_20250913	5.2.7.3256-build_20250913.x
qnap / quts_hero	h5.2.0.2737-build_20240417	h5.2.0.2737-build_20240417.x
qnap / quts_hero	h5.2.0.2782-build_20240601	h5.2.0.2782-build_20240601.x
qnap / quts_hero	h5.2.0.2789-build_20240607	h5.2.0.2789-build_20240607.x
qnap / quts_hero	h5.2.0.2802-build_20240620	h5.2.0.2802-build_20240620.x
qnap / quts_hero	h5.2.0.2823-build_20240711	h5.2.0.2823-build_20240711.x
qnap / quts_hero	h5.2.0.2851-build_20240808	h5.2.0.2851-build_20240808.x
qnap / quts_hero	h5.2.0.2860-build_20240817	h5.2.0.2860-build_20240817.x
qnap / quts_hero	h5.2.1.2929-build_20241025	h5.2.1.2929-build_20241025.x
qnap / quts_hero	h5.2.1.2940-build_20241105	h5.2.1.2940-build_20241105.x
qnap / quts_hero	h5.2.2.2952-build_20241116	h5.2.2.2952-build_20241116.x
qnap / quts_hero	h5.2.3.3006-build_20250108	h5.2.3.3006-build_20250108.x
qnap / quts_hero	h5.2.4.3070-build_20250312	h5.2.4.3070-build_20250312.x
qnap / quts_hero	h5.2.4.3079-build_20250321	h5.2.4.3079-build_20250321.x
qnap / quts_hero	h5.2.5.3138-build_20250519	h5.2.5.3138-build_20250519.x
qnap / quts_hero	h5.2.6.3195-build_20250715	h5.2.6.3195-build_20250715.x
qnap / quts_hero	h5.2.7.3256-build_20250913	h5.2.7.3256-build_20250913.x
qnap / quts_hero	h5.3.0.3115-build_20250430	h5.3.0.3115-build_20250430.x
qnap / quts_hero	h5.3.0.3145-build_20250530	h5.3.0.3145-build_20250530.x
qnap / quts_hero	h5.3.0.3192-build_20250716	h5.3.0.3192-build_20250716.x
qnap / quts_hero	h5.3.1.3250-build_20250912	h5.3.1.3250-build_20250912.x

https://www.qnap.com/en/security-advisory/qsa-25-45

Vulnerability Database

313,825

CVE-2025-62847

Deep Security Visibility Without the Complexity