NULL Pointer Dereference Vulnerability in QNAP Operating Systems
CVE-2025-62848

8.1HIGH

Key Information:

Vendor: QNAP
Status: Qts; Quts Hero
Vendor: CVE Published:; 16 December 2025

What is CVE-2025-62848?

A NULL pointer dereference vulnerability exists in various versions of QNAP operating systems, which may allow remote attackers to exploit it for denial-of-service (DoS) attacks. This vulnerability can interrupt service availability by causing the system to crash, leading to potential disruptions in user access and operations. Users are advised to update to the patched versions to mitigate any risks associated with this vulnerability.

Affected Version(s)

QTS 5.2.x < 5.2.7.3297 build 20251024

QuTS hero h5.2.x

QuTS hero h5.3.x

References

https://www.qnap.com/en/security-advisory/qsa-25-45

CVSS V4

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 16, 2025
Vulnerability Reserved
Oct 24, 2025

Credit

Pwn2Own 2025 - DEVCORE

JSON