CVE-2025-52856
Published: 29 August 2025
Summary
CVE-2025-52856 is a critical-severity Improper Authentication (CWE-287) vulnerability in Qnap Qvr. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the improper authentication vulnerability by requiring timely identification, reporting, and correction through vendor-recommended patches like VioStor 5.1.6 build 20250621.
Enables proactive detection of the CVE-2025-52856 vulnerability via regular scanning and assessment of VioStor systems, leading to prioritized remediation.
Limits remote attacker access to the vulnerable VioStor authentication mechanism by monitoring and controlling communications at external network boundaries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper authentication (CWE-287) in a remotely accessible NVR application directly enables unauthenticated network exploitation of a public-facing service, matching T1190.
NVD Description
An improper authentication vulnerability has been reported to affect VioStor. If a remote attacker, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: VioStor 5.1.6 build…
more
20250621 and later
Deeper analysisAI
CVE-2025-52856 is an improper authentication vulnerability (CWE-287) affecting QNAP's VioStor network video recorder software. The issue resides in the authentication mechanism, enabling exploitation prior to the patched version, VioStor 5.1.6 build 20250621. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for widespread remote impact.
A remote attacker requires no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows the attacker to compromise the security of the affected VioStor system, gaining high levels of access to confidentiality, integrity, and availability, potentially leading to full system control.
QNAP's security advisory (QSA-25-29) confirms the vulnerability has been addressed in VioStor 5.1.6 build 20250621 and later versions. Security practitioners should prioritize updating affected VioStor instances to mitigate the risk, as detailed in the advisory at https://www.qnap.com/en/security-advisory/qsa-25-29.
Details
- CWE(s)