Primary

Context

QNAP Operating System SQL Injection Vulnerability Allowing Unauthorized Code Execution

Vulnerability

Patched

A SQL injection vulnerability has been identified in multiple QNAP operating system versions. This vulnerability allows remote attackers to execute unauthorized code or commands on the affected system. The issue has been addressed in QTS 5.2.7.3297 build 20251024 and later, as well as in QuTS hero h5.2.7.3297 build 20251024 and h5.3.1.3292 build 20251024.

Impact

Exploitation of this vulnerability could lead to unauthorized code execution on the affected system.

Remediation

Users can upgrade to QTS 5.2.7.3297 build 20251024 or later, or to QuTS hero h5.2.7.3297 build 20251024 or h5.3.1.3292 build 20251024.

Added: Dec 16, 2025, 3:18 AM

Updated: Dec 16, 2025, 3:18 AM

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

7.5

exploitability

7.0

remediation

7.7

relevance

1.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

6.8

impact

7.5

exploitability

7.0

remediation

7.7

relevance

1.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

QNAP Operating System SQL Injection Vulnerability Allowing Unauthorized Code Execution

Vulnerability

Impact

Remediation

Affected Products

QNAP QTS

QNAP QuTS hero

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating