CVE-2025-52425

Critical

Published: 07 November 2025

Published

07 November 2025

Modified

14 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

Security Summary

CVE-2025-52425 is an SQL injection vulnerability (CWE-89) affecting QuMagie. Published on 2025-11-07, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.

A remote attacker can exploit the vulnerability over the network with low attack complexity, no privileges, and no user interaction required. Exploitation enables execution of unauthorized code or commands on the affected QuMagie instance.

QNAP has fixed the vulnerability in QuMagie 2.7.0 and later versions. Practitioners should update to these releases for mitigation. Additional details are available in the QNAP security advisory at https://www.qnap.com/en/security-advisory/qsa-25-33.

Details

CWE(s): CWE-89

Affected Products

qnap

qumagie

2.6.0 — 2.7.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL injection vulnerability in QuMagie allows remote unauthenticated attackers to execute unauthorized code/commands, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.qnap.com/en/security-advisory/qsa-25-33
Vendor Advisory · security@qnapsecurity.com.tw