CVE-2025-22481HIGH 8.8EPSS p55.7%

CVE-2025-22481CVE-2025-22481

Description

A command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow remote attackers who have gained user access to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS 5.2.4.3079 build 20250321 and later QuTS hero h5.2.4.3079 build 20250321 and later

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.92% probability of exploitation · percentile 55.7% · 2026-06-18T12:00:27Z
Published2025-06-06
Last modified2025-09-23

Underlying weaknesses· 2

CWE-77CWE-78

References

  1. https://www.qnap.com/en/security-advisory/qsa-25-12

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-30264
CVE
CVE-2025-66273
CVE
CVE-2025-66279
CVE
CVE-2026-22893
CVE
CVE-2026-24719
CVE
CVE-2025-62849
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.