CVE-2025-52425
ENISA EUVD: EUVD-2025-38284 ↗
✓ Confirmed 0-Day
Triaged: March 5, 2026
1 article
Published: 2025-11-07
EPSS Score
Source: FIRST.org · 2026-05-23
0.11%
probability
This CVE has a 0.11% probability
of being exploited in the next 30 days.
0%
Top 29.1th percentile of all CVEs
100%
CVSS v4.0 NEW
Source: VulnerabilityLookup (CIRCL)9.5
CRITICAL
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
Present
Privileges Required
None
User Interaction
None
Vulnerable System Confidentiality Impact
High
Vulnerable System Integrity Impact
High
Vulnerable System Availability Impact
High
Subsequent System Confidentiality Impact
High
Subsequent System Integrity Impact
High
Subsequent System Availability Impact
High
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
CVSS v3.1
Source: NVD9.8
CRITICAL
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Description
VulnerabilityLookup (CNA)An SQL injection vulnerability has been reported to affect QuMagie. A remote attacker can exploit the vulnerability to execute unauthorized code or commands.
We have already fixed the vulnerability in the following versions:
QuMagie 2.7.0 and later
Affected Products
QNAP Systems Inc.
QuMagie
2.7.x
Attack Intelligence
Signal Intelligence
Confidence
85%
EPSS
0.11%
CVSS v4.0
9.5
CVSS v3.1
9.8
Mentions
1
Last Seen
Nov 07, 2025
CNA Information
CNA Assigner
qnap
CNA Title
QuMagie
Analyst Note
CVE-2025-52425 is explicitly named in a BleepingComputer article about QNAP fixing seven zero-day flaws exploited at Pwn2Own 2025. The article title directly identifies this as a zero-day exploited in the wild at a major security conference, and the vendor patch (QuMagie 2.7.0+) was released in response to documented exploitation.
Threat Actors 2
Hacking Team
apt_group
🇮🇹 IT
Mana Team
apt_group
🇨🇳 CN
Triage Info
Decided atMar 05, 2026
Published DateNov 07, 2025