QNAP Flaw Allows Attackers to Bypass Authentication

QNAP Flaw Allows Attackers to Bypass Authentication

QNAP Systems has released security patches to address multiple vulnerabilities affecting QVR firmware in legacy VioStor Network Video Recorder (NVR) systems.

The company disclosed two significant security flaws on August 29, 2025, urging users to update their systems immediately to prevent potential security breaches.

Dual Security Flaws Threaten Systems

The security advisory reveals two distinct vulnerabilities that could compromise the integrity of legacy VioStor NVR systems running QVR 5.1.x firmware.

The first vulnerability, tracked as CVE-2025-52856, represents an improper authentication flaw that enables remote attackers to compromise system security without proper credentials.

This critical weakness allows unauthorized individuals to potentially gain access to sensitive surveillance data and system controls.

The second vulnerability, CVE-2025-52861, presents a path traversal security gap that becomes exploitable once an attacker gains administrator-level access.

Through this flaw, malicious actors can read unexpected files and access sensitive system data beyond their intended permissions.

While this vulnerability requires prior administrative access, it significantly amplifies the potential damage from successful attacks.

Key vulnerability characteristics include:

  • CVE-2025-52856: Remote authentication bypass allowing unauthorized system access.
  • CVE-2025-52861: Path traversal vulnerability enabling unauthorized file access.
  • Severity Level: Both classified as “Important” risk level.
  • Discovery Credit: Security researcher Hou Liuyang from 360 Security.
  • Impact Scope: Legacy VioStor NVR systems running QVR 5.1.x firmware.

Both vulnerabilities have been classified as “Important” severity level, indicating substantial risk to affected systems.

The discovery and reporting of these flaws are credited to security researcher Hou Liuyang from 360 Security, highlighting the importance of collaborative security research in identifying critical system vulnerabilities.

QNAP has responded swiftly to these security concerns by releasing updated firmware that addresses both vulnerabilities.

Legacy VioStor NVR systems running QVR 5.1.x are affected, but users can now upgrade to QVR 5.1.6 build 20250621 or later versions to eliminate these security risks.

The company has marked the vulnerabilities as “Resolved,” indicating that comprehensive fixes are available through the latest firmware updates.

This rapid response demonstrates QNAP’s commitment to maintaining the security of their surveillance infrastructure products, even for legacy systems that may no longer receive regular feature updates.

Users can verify their current firmware version and download the appropriate updates directly from QNAP’s official download portal.

The company emphasizes the critical nature of these updates, particularly given the sensitive nature of surveillance data typically managed by NVR systems.

Critical Update and Security Guidance

QNAP provides detailed instructions for updating affected systems, emphasizing the straightforward nature of the patch installation process.

Administrators can access the firmware update functionality through the Control Panel’s System Settings menu, where they can upload and install the latest security patches.

The update process requires administrative access to the VioStor NVR system and involves downloading the specific firmware file for the device model from QNAP’s official website.

Once uploaded through the firmware update interface, the system automatically installs the security patches, providing immediate protection against the identified vulnerabilities.

QNAP strongly recommends that users establish regular update schedules to ensure their systems receive the latest security patches promptly.

The company advises checking their product support status page to monitor ongoing support availability for specific NVR models and to stay informed about future security updates and system recommendations.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!


Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.