CVE-2025-59388
Published: 12 March 2026
Description
A use of hard-coded password vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed the vulnerability in the following version: Hyper Data Protector 2.3.1.455…
more
and later
Mitigating Controls (NIST 800-53 r5)AI
Directly requires timely remediation of software flaws like this hard-coded password vulnerability to prevent unauthorized remote access.
Ensures receipt and implementation of vendor security advisories, such as QNAP's for CVE-2025-59388, to apply patches preventing exploitation.
Mandates secure management of authenticators, explicitly preventing the use of unmanageable hard-coded passwords in systems.
Security SummaryAI
CVE-2025-59388 is a use of hard-coded password vulnerability (CWE-259) affecting Hyper Data Protector software. Published on 2026-03-12, it enables remote attackers to exploit the hard-coded credentials for unauthorized access to the affected component.
Attackers require only network access to the vulnerable Hyper Data Protector instance, with no privileges, authentication, or user interaction needed (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8). Successful exploitation grants unauthorized access, resulting in high impacts to confidentiality, integrity, and availability.
QNAP has addressed the issue in Hyper Data Protector version 2.3.1.455 and later. Additional mitigation details are available in the security advisory at https://www.qnap.com/en/security-advisory/qsa-25-48.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hard-coded password enables remote exploitation of public-facing application (T1190) and use of default/static credentials for unauthorized access (T1078.001).