CVE-2025-57707
Published: 11 February 2026
Summary
CVE-2025-57707 is a high-severity Static Code Injection (CWE-96) vulnerability in Qnap File Station. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user inputs to File Station to neutralize directives before they are statically saved, directly preventing static code injection.
Enforces approved authorizations to block unauthorized access to restricted data and files beyond the attacker's user privileges.
Limits the scope of accessible restricted resources by assigning minimal privileges to user accounts, reducing exploitation impact.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Static code injection in File Station web app enables authenticated remote attackers to bypass access controls for restricted data/files, mapping to privilege escalation via exploitation and public-facing application abuse.
NVD Description
An improper neutralization of directives in statically saved code ('Static Code Injection') vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to access restricted data /…
more
files. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5166 and later
Deeper analysisAI
CVE-2025-57707 is an improper neutralization of directives in statically saved code vulnerability, classified as Static Code Injection (CWE-96), affecting File Station 5 in QNAP devices. Published on 2026-02-11, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), highlighting its high severity due to significant impacts on confidentiality, integrity, and availability.
A remote attacker who has obtained a user account on the affected system can exploit this vulnerability over the network with low attack complexity and no user interaction. Exploitation enables the attacker to access restricted data and files that would otherwise be unavailable to their privilege level.
QNAP's security advisory (QSA-26-03) confirms the vulnerability has been fixed in File Station 5 version 5.5.6.5166 and later. Administrators should update to a patched version and consult https://www.qnap.com/en/security-advisory/qsa-26-03 for full mitigation guidance.
Details
- CWE(s)