Cyber Posture

CVE-2025-59389

Critical

Published: 02 January 2026

Published
02 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 32.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59389 is a critical-severity SQL Injection (CWE-89) vulnerability in Qnap Hyper Data Protector. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly mitigates the SQL injection vulnerability by requiring validation of all remote inputs to Hyper Data Protector, preventing malicious SQL command execution.

SI-2 Flaw Remediation good match
prevent

Addresses the specific CVE by ensuring timely installation of the vendor patch in Hyper Data Protector version 2.2.4.1 and later to remediate the input handling flaw.

SC-7 Boundary Protection partial match
prevent

Provides boundary protection against remote unauthenticated SQL injection attacks using mechanisms like web application firewalls to inspect and block malicious payloads.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

SQL injection vulnerability in a remotely accessible service (Hyper Data Protector) directly enables exploitation of a public-facing application for remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An SQL injection vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: Hyper Data Protector 2.2.4.1…

more

and later

Deeper analysisAI

CVE-2025-59389 is an SQL injection vulnerability (CWE-89) affecting Hyper Data Protector. Published on 2026-01-02, it enables remote attackers to execute unauthorized code or commands by exploiting flawed input handling in the software.

Remote, unauthenticated attackers with network access can exploit this vulnerability with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation grants high impacts on confidentiality, integrity, and availability, potentially allowing full compromise of affected systems.

QNAP has addressed the issue in Hyper Data Protector version 2.2.4.1 and later. Additional mitigation details are available in the vendor's security advisory at https://www.qnap.com/en/security-advisory/qsa-25-48.

Details

CWE(s)
CWE-89

Affected Products

qnap
hyper data protector
2.0.0.1115 · 2.1.0.0226 — 2.2.4.1

CVEs Like This One

CVE-2025-59388Same product: Qnap Hyper Data Protector
CVE-2025-62849Same product class: NAS / storage appliance
CVE-2025-29894Same product class: NAS / storage appliance
CVE-2025-52425Same product class: NAS / storage appliance
CVE-2025-54153Same product class: NAS / storage appliance
CVE-2024-56804Same product class: NAS / storage appliance
CVE-2025-53595Same product class: NAS / storage appliance
CVE-2025-29893Same product class: NAS / storage appliance
CVE-2025-30276Same product class: NAS / storage appliance
CVE-2026-22898Same product class: NAS / storage appliance

References