CVE-2025-62848

ENISA EUVD: EUVD-2025-203491 ↗

✓ Confirmed 0-Day

Triaged: March 5, 2026 1 article Published: 2025-12-16

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗

EPSS Score

Source: FIRST.org · 2026-05-23

0.15%

probability

This CVE has a 0.15% probability of being exploited in the next 30 days.

0% Top 35.2th percentile of all CVEs 100%

CVSS v4.0 NEW

Source: VulnerabilityLookup (CIRCL)

8.1

HIGH

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Vulnerable System Confidentiality Impact

High

Vulnerable System Integrity Impact

High

Vulnerable System Availability Impact

High

Subsequent System Confidentiality Impact

None

Subsequent System Integrity Impact

None

Subsequent System Availability Impact

None

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

CVSS v3.1

Source: NVD

7.5

HIGH

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

VulnerabilityLookup (CNA)

A NULL pointer dereference vulnerability has been reported to affect several QNAP operating system versions. The remote attackers can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3297 build 20251024 and later QuTS hero h5.2.7.3297 build 20251024 and later QuTS hero h5.3.1.3292 build 20251024 and later

Affected Products

QNAP Systems Inc.

QTS

5.2.x

QNAP Systems Inc.

QuTS hero

h5.2.x h5.3.x

qnap

qts

qnap

quts hero

QNAP Systems Inc.

QuTS hero

h5.3.x <h5.3.1.3292 build 20251024

QNAP Systems Inc.

QuTS hero

h5.2.x <h5.2.7.3297 build 20251024

QNAP Systems Inc.

QTS

5.2.x <5.2.7.3297 build 20251024

Attack Intelligence

CWE-476 · NULL Pointer Dereference CWE-703 · Improper Check or Handling of Exceptional Conditions CWE-710 · Improper Adherence to Coding Standards CWE-754 · Improper Check for Unusual or Exceptional Conditions

https://www.qnap.com/en/security-advisory/qsa-25-45

Signal Intelligence

Confidenceⓘ

85%

EPSS 0.15%

CVSS v4.0 8.1

CVSS v3.1 7.5

Mentions 1

Last Seen Nov 07, 2025

CNA Information

CNA Assigner

qnap

CNA Title

QTS, QuTS hero

Analyst Note

CVE-2025-62848 is explicitly named as one of seven zero-day flaws exploited at Pwn2Own in the BleepingComputer article. QNAP published patches (build 20251024) on or very near the CVE publication date (2025-12-16), indicating exploitation preceded or coincided with patch availability, meeting zero-day criteria.

Threat Actors 2

Hacking Team

apt_group 🇮🇹 IT

Mana Team

apt_group 🇨🇳 CN

Triage Info

Decided atMar 05, 2026

Published DateDec 16, 2025