CVE-2025-59389
Published: 02 January 2026
Description
An SQL injection vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: Hyper Data Protector 2.2.4.1…
more
and later
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the SQL injection vulnerability by requiring validation of all remote inputs to Hyper Data Protector, preventing malicious SQL command execution.
Addresses the specific CVE by ensuring timely installation of the vendor patch in Hyper Data Protector version 2.2.4.1 and later to remediate the input handling flaw.
Provides boundary protection against remote unauthenticated SQL injection attacks using mechanisms like web application firewalls to inspect and block malicious payloads.
Security SummaryAI
CVE-2025-59389 is an SQL injection vulnerability (CWE-89) affecting Hyper Data Protector. Published on 2026-01-02, it enables remote attackers to execute unauthorized code or commands by exploiting flawed input handling in the software.
Remote, unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation grants high impacts on confidentiality, integrity, and availability, potentially allowing full compromise of affected systems.
QNAP has addressed the issue in Hyper Data Protector version 2.2.4.1 and later. Additional mitigation details are available in the vendor's security advisory at https://www.qnap.com/en/security-advisory/qsa-25-48.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in a remotely accessible service (Hyper Data Protector) directly enables exploitation of a public-facing application for remote code execution.