Cyber Posture

CVE-2025-59388

Critical

Published: 12 March 2026

Published
12 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 41.3th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59388 is a critical-severity Use of Hard-coded Password (CWE-259) vulnerability in Qnap Hyper Data Protector. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely remediation of software flaws like this hard-coded password vulnerability to prevent unauthorized remote access.

SI-5 Security Alerts, Advisories, and Directives good match
prevent

Ensures receipt and implementation of vendor security advisories, such as QNAP's for CVE-2025-59388, to apply patches preventing exploitation.

IA-5 Authenticator Management good match
prevent

Mandates secure management of authenticators, explicitly preventing the use of unmanageable hard-coded passwords in systems.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

Hard-coded password enables remote exploitation of public-facing application (T1190) and use of default/static credentials for unauthorized access (T1078.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A use of hard-coded password vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed the vulnerability in the following version: Hyper Data Protector 2.3.1.455…

more

and later

Deeper analysisAI

CVE-2025-59388 is a use of hard-coded password vulnerability (CWE-259) affecting Hyper Data Protector software. Published on 2026-03-12, it enables remote attackers to exploit the hard-coded credentials for unauthorized access to the affected component.

Attackers require only network access to the vulnerable Hyper Data Protector instance, with no privileges, authentication, or user interaction needed (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, score 9.8). Successful exploitation grants unauthorized access, resulting in high impacts to confidentiality, integrity, and availability.

QNAP has addressed the issue in Hyper Data Protector version 2.3.1.455 and later. Additional mitigation details are available in the security advisory at https://www.qnap.com/en/security-advisory/qsa-25-48.

Details

CWE(s)
CWE-259

Affected Products

qnap
hyper data protector
2.2.0.284 — 2.3.1.455

CVEs Like This One

CVE-2025-59389Same product: Qnap Hyper Data Protector
CVE-2025-52425Same product class: NAS / storage appliance
CVE-2024-13086Same product class: NAS / storage appliance
CVE-2025-52870Same product class: NAS / storage appliance
CVE-2025-59385Same product class: NAS / storage appliance
CVE-2025-29894Same product class: NAS / storage appliance
CVE-2025-59384Same product class: NAS / storage appliance
CVE-2026-22898Same product class: NAS / storage appliance
CVE-2025-52856Same product class: NAS / storage appliance
CVE-2026-22900Same product class: NAS / storage appliance

References