Primary

Context

QNAP Operating System Command Injection Vulnerability Allowing Execution Logic Alteration

Vulnerability

Patched

A command injection vulnerability has been identified in several QNAP operating system versions. This issue arises from improper handling of argument delimiters, allowing remote attackers to manipulate execution logic. The vulnerability has been addressed in QTS 5.2.7.3297 build 20251024 and later, as well as QuTS hero h5.2.7.3297 build 20251024 and h5.3.1.3292 build 20251024.

Impact

Exploitation of this vulnerability allows remote attackers to alter the execution logic on the affected system, potentially leading to unauthorized command execution or manipulation of system processes.

Remediation

Users can upgrade to QTS 5.2.7.3297 build 20251024 or later, or QuTS hero h5.2.7.3297 build 20251024 or h5.3.1.3292 build 20251024 to address this vulnerability.

Added: Dec 16, 2025, 3:22 AM

Updated: Dec 16, 2025, 3:22 AM

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

0.6

exploitability

7.0

remediation

7.7

relevance

1.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

0.6

exploitability

7.0

remediation

7.7

relevance

1.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

QNAP Operating System Command Injection Vulnerability Allowing Execution Logic Alteration

Vulnerability

Impact

Remediation

Affected Products

QNAP QTS

QNAP QuTS hero

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating