{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-59389","assignerOrgId":"2fd009eb-170a-4625-932b-17a53af1051f","state":"PUBLISHED","assignerShortName":"qnap","dateReserved":"2025-09-15T08:35:00.660Z","datePublished":"2026-01-02T15:51:48.998Z","dateUpdated":"2026-01-02T19:09:42.304Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Hyper Data Protector","vendor":"QNAP Systems Inc.","versions":[{"lessThan":"2.2.4.1","status":"affected","version":"2.2.x","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Pwn2Own 2025 - Summoning Team"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An SQL injection vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.<br><br>We have already fixed the vulnerability in the following versions:<br>Hyper Data Protector 2.2.4.1 and later<br>"}],"value":"An SQL injection vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.\n\nWe have already fixed the vulnerability in the following versions:\nHyper Data Protector 2.2.4.1 and later"}],"impacts":[{"capecId":"CAPEC-66","descriptions":[{"lang":"en","value":"CAPEC-66"}]}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.1,"baseSeverity":"HIGH","exploitMaturity":"UNREPORTED","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-89","description":"CWE-89","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"2fd009eb-170a-4625-932b-17a53af1051f","shortName":"qnap","dateUpdated":"2026-01-02T15:51:48.998Z"},"references":[{"url":"https://www.qnap.com/en/security-advisory/qsa-25-48"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"We have already fixed the vulnerability in the following versions:<br>Hyper Data Protector 2.2.4.1 and later<br>"}],"value":"We have already fixed the vulnerability in the following versions:\nHyper Data Protector 2.2.4.1 and later"}],"source":{"advisory":"QSA-25-48","discovery":"EXTERNAL"},"title":"Hyper Data Protector","x_generator":{"engine":"Vulnogram 0.1.0-dev"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-01-02T19:09:30.345109Z","id":"CVE-2025-59389","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-02T19:09:42.304Z"}}]}}