Medium

SQL Injection RCE in QNAP QTS/QuTS hero nvrlog_event_add msg parameter

IdentifiersCVE-2025-62847CWE-89

CVE-2025-62847 is a SQL injection vulnerability affecting QNAP QTS and QuTS hero, including QNAP TS-453E devices. Public reporting and ZDI disclosure indicate the specific flaw exists in the nvrlog_event_add endpoint, where the msg parameter is improperly validated before being incorporated into SQL queries. Although QNAP’s advisory describes the issue more generically as improper neutralization of argument delimiters in a command vulnerability that can be used to alter execution logic, the more specific supporting content identifies the bug as a SQL injection issue that was demonstrated at Pwn2Own Ireland 2025 as part of an exploit chain. Successful exploitation can be leveraged to achieve arbitrary code execution in the context of admin on affected installations.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A successful attacker can execute arbitrary code on affected QNAP systems with admin-level privileges. The supporting disclosure states the flaw is exploitable by network-adjacent attackers and can result in full compromise of the target with high impact to confidentiality, integrity, and availability. Because the vulnerability was demonstrated as part of a chained exploit at Pwn2Own, it may also facilitate broader device takeover when combined with related flaws.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure of affected QNAP management and application interfaces to untrusted networks, especially network-adjacent access paths. Restrict access to the vulnerable endpoint to trusted administrators only, segment NAS devices from less-trusted LAN segments, and monitor for suspicious requests targeting nvrlog_event_add and anomalous database-backed event logging activity. Because the advisory notes authentication can be bypassed, do not rely solely on access control at the application layer; prioritize network isolation and rapid patching.

Remediation

Patch, then assume compromise.

Apply QNAP’s fixed releases: QTS 5.2.7.3297 build 20251024 or later, QuTS hero h5.2.7.3297 build 20251024 or later, and QuTS hero h5.3.1.3292 build 20251024 or later. The supporting content also references QNAP security advisory QSA-25-45 as the vendor remediation source. Update affected devices promptly to the latest available firmware/software release.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

QNAP SystemsQtsoperating_system

QNAP SystemsQuts Herooperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app

security affairsNews

Mar 23, 2026

QNAP fixed four vulnerabilities demonstrated at Pwn2Own Ireland 2025

A QNAP vulnerability affecting QTS and QuTS hero operating systems, referenced as one of the zero-day vulnerabilities patched after Pwn2Own Ireland 2025.

securityaffairsNews

Nov 10, 2025

QNAP fixed multiple zero-days in its software demonstrated at Pwn2Own 2025

A zero-day vulnerability in QNAP’s QTS and QuTS hero operating systems, demonstrated at Pwn2Own 2025 and patched by QNAP.

bleeping computerNews

Nov 7, 2025

QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own

A zero-day vulnerability in QNAP's QTS and QuTS hero operating systems, exploited during Pwn2Own Ireland 2025.

security weekNews

Mar 18, 2026

QNAP Patches Vulnerabilities Exploited at Pwn2Own Ireland

One of a set of vulnerabilities demonstrated at Pwn2Own Ireland 2025 as part of an exploit chain combining injection vulnerabilities and a format string bug; patched in QNAP QTS/QuTS hero releases.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-62847

NVD

nvd.nist.gov/vuln/detail/CVE-2025-62847

MITRE CWE · CWE-89

cwe.mitre.org

Vendor Advisory

qnap.com/en/security-advisory/qsa-25-45