CVE-2025-62847
HIGHDescription
An improper neutralization of argument delimiters in a command vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to alter execution logic. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later
Is your site exposed to CVE-2025-62847?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| qnap | qts |
| qnap | qts |
| qnap | qts |
| qnap | qts |
| qnap | qts |
| qnap | qts |
| qnap | qts |
| qnap | qts |
| qnap | qts |
| qnap | qts |
| qnap | qts |
| qnap | qts |
| qnap | qts |
| qnap | qts |
| qnap | qts |
| qnap | qts |
| qnap | qts |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
| qnap | quts_hero |
References
Advisories & Patches
Frequently Asked Questions
What is CVE-2025-62847? +
How severe is CVE-2025-62847? +
What products are affected by CVE-2025-62847? +
How do I check if I'm vulnerable to CVE-2025-62847? +
Related Vulnerabilities
A hidden console command is vulnerable to command injection flaw when control characters are passed to its second argument. A …
Atheos is a self-hosted browser-based cloud integrated development environment. Prior to version 6.0.4, improper use of `escapeshellcmd()` in `/components/codegit/traits/execute.php` allows …
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations …
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in CRESTRON TOUCHSCREENS x70 allows Argument Injection.This issue affects …
XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command …
Easywall 0.3.1 allows authenticated remote command execution via a command injection vulnerability in the /ports-save endpoint that suffers from a …