What security vulnerabilities affect QNAP QVR firmware?

QNAP Systems has patched two security vulnerabilities affecting QVR firmware in legacy VioStor Network Video Recorder (NVR) systems: CVE-2025-52856, an authentication vulnerability, and CVE-2025-52861, a path traversal vulnerability. Both flaws target older surveillance infrastructure that organizations may still be operating.

What is CVE-2025-52856 and how does it work?

CVE-2025-52856 is an authentication vulnerability that enables remote attackers to compromise system security without proper credentials. It allows attackers to potentially gain access to sensitive surveillance data and system controls through remote authentication bypass, effectively circumventing normal security measures.

What is CVE-2025-52861 and what does it enable?

CVE-2025-52861 is a path traversal vulnerability that becomes exploitable once an attacker gains administrator-level access. Through this flaw, malicious actors can read unexpected files and access sensitive system data beyond their intended permissions. While it requires prior administrative access, it significantly amplifies the potential damage from successful attacks.

What is the latest patched version of QVR firmware?

The latest patched version is QVR 5.1.6 build 20250621 or later versions. Legacy VioStor NVR systems running any QVR 5.1.x firmware version should upgrade to this build or newer to address both CVE-2025-52856 and CVE-2025-52861 vulnerabilities.

What are the CVSS scores for the QNAP QVR vulnerabilities?

CVSS scores are currently not available (N/A) for both CVE-2025-52856 and CVE-2025-52861. The vulnerabilities have been assigned CVE numbers, but formal scoring has not yet been published by the CVE authorities.

What does QNAP recommend for preventing future security issues?

QNAP strongly recommends that users establish regular update schedules to ensure their systems receive the latest security patches. Maintaining current firmware versions is essential for protecting surveillance infrastructure from emerging threats.

Can CVE-2025-52861 be exploited independently?

No, CVE-2025-52861 requires prior administrative access to be exploited. This path traversal vulnerability cannot be used independently but becomes dangerous when combined with other attack vectors or when an attacker has already gained administrator-level privileges through vulnerabilities like CVE-2025-52856.

What type of data could be compromised through these QNAP vulnerabilities?

Through CVE-2025-52856, attackers could potentially access sensitive surveillance data and system controls. CVE-2025-52861 allows reading unexpected files and accessing sensitive system data beyond intended permissions. Combined, these vulnerabilities could compromise the entire surveillance infrastructure and any data stored or processed by the NVR systems.

Advisory

QNAP patches multible security vulnerabilities in legacy VioStor NVR systems

Q: Which QNAP systems are affected by these vulnerabilities?

Legacy VioStor Network Video Recorder (NVR) systems running QVR 5.1.x firmware are vulnerable to both security flaws. The impact scope specifically targets older surveillance infrastructure that organizations may still be operating in production environments.

published: Aug. 30, 2025

Take action: If you have QNAP Legacy VioStor NVR systems, first make sure they are isolated from the internet and accessible only from trusted networks or VPN. Then plan a quick update update to QVR 5.1.6 build 20250621 or later. And set up regular firmware update schedules to stay protected against future security flaws.

Learn More

QNAP Systems has patched security vulnerabilities affecting QVR firmware in legacy VioStor Network Video Recorder (NVR) systems.

Vulnerabilities summary

CVE-2025-52856 (CVSS score N/A): Authentication bypass vulnerability that enables remote attackers to compromise system security without proper credentials. It allows attackers to potentially gain access to sensitive surveillance data and system controls through remote authentication bypass.
CVE-2025-52861 (CVSS score N/A): A path traversal vulnerability that becomes exploitable once an attacker gains administrator-level access. Through this flaw, malicious actors can read unexpected files and access sensitive system data beyond their intended permissions. While this vulnerability requires prior administrative access, it significantly amplifies the potential damage from successful attacks.

Legacy VioStor NVR systems running QVR 5.1.x firmware are vulnerable to both security flaws. The impact scope specifically targets older surveillance infrastructure that organizations may still be operating in production environments.

QNAP has released updated firmware that patches both vulnerabilities. Legacy VioStor NVR systems running QVR 5.1.x can upgrade to QVR 5.1.6 build 20250621 or later versions to eliminate these security risks.

QNAP strongly recommends that users establish regular update schedules to ensure their systems receive the latest security patches.

QNAP patches multible security vulnerabilities in legacy VioStor NVR systems

Read More
Critical unaithenticated RCE flaws reported in Zenitel TCIV-3+ …
Siemens reports critical flaws in OPC UA
FreePBX Servers under active zero-day attack
CrackArmor: Nine Critical Vulnerabilities in AppArmor Allow Unprivileged …
Siemens SINEMA reports multiple vulnerabilities, two critical