CVE-2025-52425
Published: 07 November 2025
Summary
CVE-2025-52425 is a critical-severity SQL Injection (CWE-89) vulnerability in Qnap Qumagie. Its CVSS base score is 9.5 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-52425 is an SQL injection vulnerability (CWE-89) affecting QuMagie. Published on 2025-11-07, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.
A remote attacker can exploit the vulnerability over the network with low attack complexity, no privileges, and no user interaction required. Exploitation enables execution of unauthorized code or commands on the affected QuMagie instance.
QNAP has fixed the vulnerability in QuMagie 2.7.0 and later versions. Practitioners should update to these releases for mitigation. Additional details are available in the QNAP security advisory at https://www.qnap.com/en/security-advisory/qsa-25-33.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-38284
Vulnerability details
An SQL injection vulnerability has been reported to affect QuMagie. A remote attacker can exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: QuMagie 2.7.0 and later
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in QuMagie allows remote unauthenticated attackers to execute unauthorized code/commands, directly mapping to exploitation of a public-facing application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely remediation of the specific SQL injection flaw in QuMagie through patching to version 2.7.0 or later as provided by QNAP.
Directly prevents SQL injection exploitation like CVE-2025-52425 by validating and sanitizing all user-supplied inputs to the system.
Identifies SQL injection vulnerabilities such as CVE-2025-52425 through regular scanning, enabling proactive flaw remediation.