Cyber Resilience

CVE-2025-52856

Critical

Published: 29 August 2025

Published
29 August 2025
Modified
10 December 2025
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0029 52.6th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-52856 is a critical-severity Improper Authentication (CWE-287) vulnerability in Qnap Qvr. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-52856 is an improper authentication vulnerability (CWE-287) affecting QNAP's VioStor network video recorder software. The issue resides in the authentication mechanism, enabling exploitation prior to the patched version, VioStor 5.1.6 build 20250621. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its potential for widespread remote impact.

A remote attacker requires no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows the attacker to compromise the security of the affected VioStor system, gaining high levels of access to confidentiality, integrity, and availability, potentially leading to full system control.

QNAP's security advisory (QSA-25-29) confirms the vulnerability has been addressed in VioStor 5.1.6 build 20250621 and later versions. Security practitioners should prioritize updating affected VioStor instances to mitigate the risk, as detailed in the advisory at https://www.qnap.com/en/security-advisory/qsa-25-29.

EU & UK References

Vulnerability details

An improper authentication vulnerability has been reported to affect VioStor. If a remote attacker, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: VioStor 5.1.6 build…

more

20250621 and later

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Improper authentication (CWE-287) in a remotely accessible NVR application directly enables unauthenticated network exploitation of a public-facing service, matching T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-59385Same product class: NAS / storage appliance
CVE-2025-52425Same product class: NAS / storage appliance
CVE-2025-59384Same product class: NAS / storage appliance
CVE-2024-13086Same product class: NAS / storage appliance
CVE-2025-47206Same product class: NAS / storage appliance
CVE-2025-29894Same product class: NAS / storage appliance
CVE-2025-62849Same product class: NAS / storage appliance
CVE-2025-30276Same product class: NAS / storage appliance
CVE-2025-59389Same product class: NAS / storage appliance
CVE-2025-52870Same product class: NAS / storage appliance

Affected Assets

qnap
qvr
5.1.6 · 5.1.0 — 5.1.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the improper authentication vulnerability by requiring timely identification, reporting, and correction through vendor-recommended patches like VioStor 5.1.6 build 20250621.

preventdetect

Enables proactive detection of the CVE-2025-52856 vulnerability via regular scanning and assessment of VioStor systems, leading to prioritized remediation.

prevent

Limits remote attacker access to the vulnerable VioStor authentication mechanism by monitoring and controlling communications at external network boundaries.

References