Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN570
_____________________________________________________________________

DATE                : 02/09/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running QVR firmware for legacy VioStor
                     NVR versions prior to QVR 5.1.6 build 20250621.

=====================================================================
https://www.qnap.com/en/security-advisory/qsa-25-29
_____________________________________________________________________

Security ID : QSA-25-29
Multiple Vulnerabilities in QVR Firmware for Legacy VioStor NVR

    Release date : August 29, 2025

    CVE identifier : CVE-2025-52856 | CVE-2025-52861

    Affected products: QVR 5.1.x for legacy VioStor NVR

Severity
Important

Status
Resolved


Summary

Mutiple vulnerabilities has been reported to affect QVR firmware for
legacy VioStor NVR:

    CVE-2025-52856: A remote attacker can exploit the improper
authentication vulnerability to compromise the security of the system.
    CVE-2025-52861: If a remote attacker gains access to an
administrator account, they can then exploit the path traversal
vulnerability to read the contents of unexpected files or system data.


We have already fixed the vulnerabilities in the following version:


Affected Product 	Fixed Version

Legacy VioStor NVR: QVR 5.1.x 	  Legacy VioStor NVR: QVR 5.1.6 build
20250621 and later


Recommendation

To secure your device, we recommend regularly updating your system
to the latest version to benefit from vulnerability fixes. You can
check the product support status to see the latest updates
available to your NAS model.


Updating QVR Firmware on Legacy VioStor NVR

    Log in to your VioStor NVR as an administrator.
    Go to Control Panel > System Settings > Firmware Update.
    Select the Firmware Update tab.
    Click Browse... to upload the latest firmware file.
    Tip: Download the latest firmware file for your specific
device from https://www.qnap.com/go/download.
    Click Update System.
    The system installs the update.


Attachment

    CVE-2025-52856.json
    CVE-2025-52861.json

Acknowledgements: 360 的安全研究员 侯留洋（houliuyang@360.cn）

Revision History:
V1.0 (August 29, 2025) - Published


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================