CVE-2025-59389

ENISA EUVD: EUVD-2026-0664 ↗

✓ Confirmed 0-Day

Triaged: March 5, 2026 1 article Published: 2026-01-02

VulnLookup ↗ NVD ↗ EUVD ↗ MITRE ↗

EPSS Score

Source: FIRST.org · 2026-05-23

0.13%

probability

This CVE has a 0.13% probability of being exploited in the next 30 days.

0% Top 32.1th percentile of all CVEs 100%

CVSS v4.0 NEW

Source: VulnerabilityLookup (CIRCL)

8.1

HIGH

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Vulnerable System Confidentiality Impact

High

Vulnerable System Integrity Impact

High

Vulnerable System Availability Impact

High

Subsequent System Confidentiality Impact

None

Subsequent System Integrity Impact

None

Subsequent System Availability Impact

None

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U

CVSS v3.1

Source: NVD

9.8

CRITICAL

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

VulnerabilityLookup (CNA)

An SQL injection vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: Hyper Data Protector 2.2.4.1 and later

Affected Products

QNAP Systems Inc.

Hyper Data Protector

2.2.x

qnap

hyper data protector

QNAP Systems Inc.

Hyper Data Protector

2.2.x <2.2.4.1

Attack Intelligence

CWE-707 · Improper Neutralization CWE-74 · Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-89 · SQL Injection CWE-943 · Improper Neutralization of Special Elements in Data Query Logic

https://www.qnap.com/en/security-advisory/qsa-25-48

Signal Intelligence

Confidenceⓘ

85%

EPSS 0.13%

CVSS v4.0 8.1

CVSS v3.1 9.8

Mentions 1

Last Seen Nov 07, 2025

CNA Information

CNA Assigner

qnap

CNA Title

Hyper Data Protector

Analyst Note

CVE-2025-59389 is explicitly listed among QNAP's seven NAS zero-day flaws exploited at Pwn2Own, a live hacking competition where vulnerabilities are discovered and exploited in real-time before patches exist. The CVE was patched in version 2.2.4.1, with exploitation occurring at Pwn2Own (January 2025 timeframe), confirming pre-patch exploitation.

Threat Actors 2

Hacking Team

apt_group 🇮🇹 IT

Mana Team

apt_group 🇨🇳 CN

Triage Info

Decided atMar 05, 2026

Published DateJan 02, 2026