Cyber Resilience

CVE-2025-59388

Medium

Published: 12 March 2026

Published
12 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score v4 6.6 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0047 37.3th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-59388 is a medium-severity Use of Hard-coded Password (CWE-259) vulnerability in Qnap Hyper Data Protector. Its CVSS base score is 6.6 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 37.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-59388 is a use of hard-coded password vulnerability (CWE-259) affecting Hyper Data Protector software. Published on 2026-03-12, it enables remote attackers to exploit the hard-coded credentials for unauthorized access to the affected component.

Attackers require only network access to the vulnerable Hyper Data Protector instance, with no privileges, authentication, or user interaction needed (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8). Successful exploitation grants unauthorized access, resulting in high impacts to confidentiality, integrity, and availability.

QNAP has addressed the issue in Hyper Data Protector version 2.3.1.455 and later. Additional mitigation details are available in the security advisory at https://www.qnap.com/en/security-advisory/qsa-25-48.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A use of hard-coded password vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed the vulnerability in the following version: Hyper Data Protector 2.3.1.455…

more

and later

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Hard-coded password enables remote exploitation of public-facing application (T1190) and use of default/static credentials for unauthorized access (T1078.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-59389Same product: Qnap Hyper Data Protector
CVE-2025-29894Same product class: NAS / storage appliance
CVE-2026-22900Same product class: NAS / storage appliance
CVE-2025-62849Same product class: NAS / storage appliance
CVE-2024-13086Same product class: NAS / storage appliance
CVE-2026-22898Same product class: NAS / storage appliance
CVE-2025-47206Same product class: NAS / storage appliance
CVE-2025-30276Same product class: NAS / storage appliance
CVE-2025-52856Same product class: NAS / storage appliance
CVE-2025-52870Same product class: NAS / storage appliance

Affected Assets

qnap
hyper data protector
2.2.0.284 — 2.3.1.455

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of software flaws like this hard-coded password vulnerability to prevent unauthorized remote access.

prevent

Ensures receipt and implementation of vendor security advisories, such as QNAP's for CVE-2025-59388, to apply patches preventing exploitation.

prevent

Mandates secure management of authenticators, explicitly preventing the use of unmanageable hard-coded passwords in systems.

References