Cyber Resilience

CVE-2025-44015

Low

Published: 29 August 2025

Published
29 August 2025
Modified
08 December 2025
KEV Added
Patch
CVSS Score v4 2.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0020 42.4th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-44015 is a low-severity Command Injection (CWE-77) vulnerability in Qnap Hybriddesk Station. Its CVSS base score is 2.3 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-44015 is a command injection vulnerability (CWE-77, CWE-78) affecting HybridDesk Station, a component from QNAP. The issue allows attackers to execute arbitrary commands on the affected system. It has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for complete compromise of confidentiality, integrity, and availability.

An attacker with local network access can exploit this vulnerability without authentication or user interaction. Successful exploitation enables arbitrary command execution on the target system, potentially leading to full system takeover, data theft, or further lateral movement within the network.

QNAP has addressed the vulnerability in HybridDesk Station version 4.2.18 and later. Security practitioners should update to a patched version immediately. Additional details are available in QNAP's security advisory at https://www.qnap.com/en/security-advisory/qsa-25-20.

EU & UK References

Vulnerability details

A command injection vulnerability has been reported to affect HybridDesk Station. If an attacker gains local network access, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: HybridDesk Station…

more

4.2.18 and later

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

Command injection vulnerability directly enables remote arbitrary command execution on a network-accessible component (T1190) and facilitates use of command interpreters for follow-on actions (T1059).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22901Same product class: NAS / storage appliance
CVE-2025-30264Same product class: NAS / storage appliance
CVE-2025-53595Same product class: NAS / storage appliance
CVE-2024-53700Same product class: NAS / storage appliance
CVE-2024-56804Same product class: NAS / storage appliance
CVE-2026-22897Same product class: NAS / storage appliance
CVE-2024-50390Same product class: NAS / storage appliance
CVE-2025-29893Same product class: NAS / storage appliance
CVE-2025-59385Same product class: NAS / storage appliance
CVE-2024-13086Same product class: NAS / storage appliance

Affected Assets

qnap
hybriddesk station
4.2.0 — 4.2.18

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the command injection vulnerability by requiring timely identification, reporting, and correction through patching to HybridDesk Station 4.2.18 or later.

prevent

Prevents exploitation of the command injection vulnerability by implementing input validation to mitigate information injection attacks like CWE-77 and CWE-78.

prevent

Enforces input restrictions to limit types and quantities of data that could be used to exploit the command injection vulnerability and enable arbitrary command execution.

References