QNAP patches critical SQL Injection flaw in QuMagie photo management application
Take action: If you have QNAP NAS devices, first make sure they are isolated from the internet and accessible only from trusted networks. Then if you're using QNAP's QuMagie photo management app (version 2.6.x) plan a quick update to the patched 2.7.x versions.
Learn More
QNAP has patched a critical SQL injection vulnerability in QuMagie, its photo management and sharing solution for network-attached storage devices.
The flaw is tracked as CVE-2025-52425 (CVSS score 9.8), allows remote attackers to execute unauthorized code or commands on vulnerable QNAP NAS systems running affected versions of the application.
Successful exploitation could enable attackers to access private photo libraries, manipulate metadata, steal sensitive information, or use the vulnerability as a foothold for network compromise.
The vulnerability affects QuMagie versions 2.6.x.
QNAP patched the flaw in QuMagie version 2.7.0 and all subsequent releases. Users running QuMagie 2.6.x should update ASAP.
