Cyber Resilience

CVE-2025-52425

Critical

Published: 07 November 2025

Published
07 November 2025
Modified
14 November 2025
KEV Added
Patch
CVSS Score v4 9.5 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 31.4th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52425 is a critical-severity SQL Injection (CWE-89) vulnerability in Qnap Qumagie. Its CVSS base score is 9.5 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-52425 is an SQL injection vulnerability (CWE-89) affecting QuMagie. Published on 2025-11-07, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.

A remote attacker can exploit the vulnerability over the network with low attack complexity, no privileges, and no user interaction required. Exploitation enables execution of unauthorized code or commands on the affected QuMagie instance.

QNAP has fixed the vulnerability in QuMagie 2.7.0 and later versions. Practitioners should update to these releases for mitigation. Additional details are available in the QNAP security advisory at https://www.qnap.com/en/security-advisory/qsa-25-33.

EU & UK References

Vulnerability details

An SQL injection vulnerability has been reported to affect QuMagie. A remote attacker can exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: QuMagie 2.7.0 and later

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection vulnerability in QuMagie allows remote unauthenticated attackers to execute unauthorized code/commands, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-29894Same product class: NAS / storage appliance
CVE-2025-62849Same product class: NAS / storage appliance
CVE-2025-59389Same product class: NAS / storage appliance
CVE-2025-53595Same product class: NAS / storage appliance
CVE-2024-56804Same product class: NAS / storage appliance
CVE-2025-54153Same product class: NAS / storage appliance
CVE-2025-29893Same product class: NAS / storage appliance
CVE-2025-59385Same product class: NAS / storage appliance
CVE-2024-13086Same product class: NAS / storage appliance
CVE-2025-47206Same product class: NAS / storage appliance

Affected Assets

qnap
qumagie
2.6.0 — 2.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely remediation of the specific SQL injection flaw in QuMagie through patching to version 2.7.0 or later as provided by QNAP.

prevent

Directly prevents SQL injection exploitation like CVE-2025-52425 by validating and sanitizing all user-supplied inputs to the system.

prevent

Identifies SQL injection vulnerabilities such as CVE-2025-52425 through regular scanning, enabling proactive flaw remediation.

References