CVE-2025-52425

Critical

Published: 07 November 2025

Published

07 November 2025

Modified

14 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 29.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52425 is a critical-severity SQL Injection (CWE-89) vulnerability in Qnap Qumagie. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of the specific SQL injection flaw in QuMagie through patching to version 2.7.0 or later as provided by QNAP.

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection exploitation like CVE-2025-52425 by validating and sanitizing all user-supplied inputs to the system.

RA-5 Vulnerability Monitoring and Scanning partial match

prevent

Identifies SQL injection vulnerabilities such as CVE-2025-52425 through regular scanning, enabling proactive flaw remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

SQL injection vulnerability in QuMagie allows remote unauthenticated attackers to execute unauthorized code/commands, directly mapping to exploitation of a public-facing application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An SQL injection vulnerability has been reported to affect QuMagie. A remote attacker can exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: QuMagie 2.7.0 and later

Deeper analysisAI

CVE-2025-52425 is an SQL injection vulnerability (CWE-89) affecting QuMagie. Published on 2025-11-07, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high impacts on confidentiality, integrity, and availability.

A remote attacker can exploit the vulnerability over the network with low attack complexity, no privileges, and no user interaction required. Exploitation enables execution of unauthorized code or commands on the affected QuMagie instance.

QNAP has fixed the vulnerability in QuMagie 2.7.0 and later versions. Practitioners should update to these releases for mitigation. Additional details are available in the QNAP security advisory at https://www.qnap.com/en/security-advisory/qsa-25-33.

Details

CWE(s): CWE-89

Affected Products

qnap

qumagie

2.6.0 — 2.7.0

CVEs Like This One

CVE-2025-59389Same product class: NAS / storage appliance

CVE-2025-29894Same product class: NAS / storage appliance

CVE-2025-62849Same product class: NAS / storage appliance

CVE-2025-53595Same product class: NAS / storage appliance

CVE-2025-54153Same product class: NAS / storage appliance

CVE-2024-56804Same product class: NAS / storage appliance

CVE-2025-29893Same product class: NAS / storage appliance

CVE-2025-30276Same product class: NAS / storage appliance

CVE-2024-13086Same product class: NAS / storage appliance

CVE-2026-22898Same product class: NAS / storage appliance

References

https://www.qnap.com/en/security-advisory/qsa-25-33
Vendor Advisory · security@qnapsecurity.com.tw