Cyber Posture

CVE-2025-30278

High

Published: 29 August 2025

Published
29 August 2025
Modified
19 September 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 30.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30278 is a high-severity Improper Certificate Validation (CWE-295) vulnerability in Qnap Qsync Central. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-17 (Public Key Infrastructure Certificates) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-17 Public Key Infrastructure Certificates good match
prevent

Directly mandates establishment of requirements for PKI certificate validation, comprehensively addressing the improper certificate validation vulnerability in CVE-2025-30278.

SI-2 Flaw Remediation good match
prevent

Requires timely identification, testing, and deployment of patches to remediate flaws like the certificate validation issue fixed in Qsync Central 4.5.0.7.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Provides vulnerability scanning to identify and prioritize remediation of specific issues like CVE-2025-30278 prior to exploitation by remote attackers with user accounts.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1553 Subvert Trust Controls Defense Impairment
Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs.
attack.mitre.org →
Why these techniques?

Improper cert validation (CWE-295) in public-facing Qsync service enables remote exploitation by authenticated users for full compromise; maps to public app exploitation and trust control subversion.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

An improper certificate validation vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in…

more

the following version: Qsync Central 4.5.0.7 ( 2025/04/23 ) and later

Deeper analysisAI

CVE-2025-30278 is an improper certificate validation vulnerability (CWE-295) affecting Qsync Central. Published on 2025-08-29, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact across confidentiality, integrity, and availability.

A remote attacker who first gains a user account on the affected system can exploit the vulnerability over the network with low complexity and no user interaction required. Successful exploitation allows the attacker to compromise the overall security of the system.

QNAP has fixed the vulnerability in Qsync Central version 4.5.0.7, released on 2025/04/23, and all later versions. Additional details are available in the vendor's security advisory at https://www.qnap.com/en/security-advisory/qsa-25-22.

Details

CWE(s)
CWE-295

Affected Products

qnap
qsync central
4.5.0.3 — 4.5.0.7

CVEs Like This One

CVE-2025-30277Same product: Qnap Qsync Central
CVE-2025-52870Same product: Qnap Qsync Central
CVE-2025-30276Same product: Qnap Qsync Central
CVE-2025-29894Same product: Qnap Qsync Central
CVE-2025-30269Same product: Qnap Qsync Central
CVE-2025-53595Same product: Qnap Qsync Central
CVE-2025-54153Same product: Qnap Qsync Central
CVE-2025-48724Same product: Qnap Qsync Central
CVE-2025-48723Same product: Qnap Qsync Central
CVE-2025-57709Same product: Qnap Qsync Central

References