Cyber Resilience

CVE-2025-29894

High

Published: 29 August 2025

Published
29 August 2025
Modified
19 September 2025
KEV Added
Patch
CVSS Score v4 7.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 33.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-29894 is a high-severity SQL Injection (CWE-89) vulnerability in Qnap Qsync Central. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-29894 is an SQL injection vulnerability (CWE-89) affecting Qsync Central, a QNAP software component. The issue allows unauthorized code or command execution when exploited. It has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-08-29.

A remote attacker with a valid user account on the affected Qsync Central instance can exploit this vulnerability over the network with low complexity and no user interaction required. Successful exploitation grants high-impact confidentiality, integrity, and availability effects, enabling the execution of arbitrary code or commands.

The QNAP security advisory (QSA-25-22) at https://www.qnap.com/en/security-advisory/qsa-25-22 confirms the vulnerability has been fixed in Qsync Central version 4.5.0.7, released on 2025/04/23, and all later versions. Security practitioners should update to a patched version immediately to mitigate the risk.

EU & UK References

Vulnerability details

An SQL injection vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following…

more

version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a remotely accessible QNAP application directly enables remote code/command execution by an authenticated attacker, mapping to exploitation of a network-accessible application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-53595Same product: Qnap Qsync Central
CVE-2025-54153Same product: Qnap Qsync Central
CVE-2025-29893Same product: Qnap Qsync Central
CVE-2025-30276Same product: Qnap Qsync Central
CVE-2025-52870Same product: Qnap Qsync Central
CVE-2025-30277Same product: Qnap Qsync Central
CVE-2025-48724Same product: Qnap Qsync Central
CVE-2025-48723Same product: Qnap Qsync Central
CVE-2025-30269Same product: Qnap Qsync Central
CVE-2025-30278Same product: Qnap Qsync Central

Affected Assets

qnap
qsync central
4.5.0.3 — 4.5.0.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by requiring validation and sanitization of all user inputs in applications like Qsync Central.

prevent

Mandates timely remediation of identified flaws, such as applying the Qsync Central 4.5.0.7 patch for this SQL injection vulnerability.

prevent

Requires monitoring and acting on security advisories like QNAP's QSA-25-22 to patch the SQL injection vulnerability promptly.

References