QNAP Vulnerability Let Attackers Bypass Authentication and Access Unauthorized Files

Cybersecurity

QNAP Systems has identified a critical security vulnerability in its legacy VioStor Network Video Recorder (NVR) firmware, which allows remote attackers to bypass authentication mechanisms and gain unauthorized system access.

The vulnerability affects QVR firmware version 5.1.x on legacy VioStor NVR systems.

Key Takeaways

• Two vulnerabilities permit remote authentication bypass and unauthorized file access in QNAP VioStor NVR systems.
• An upgrade to QVR firmware 5.1.6 build 20250621 is required.
• Complete system compromise is possible, exposing surveillance data and controls.

CVE-2025-52856: Improper Authentication Vulnerability

CVE-2025-52856 is identified as an improper authentication vulnerability, posing significant risks to system security.

This flaw allows remote attackers to bypass the authentication process, circumventing login credentials, multi-factor authentication, and other security controls in the QVR firmware.

The vulnerability operates at the application layer, where flawed authentication logic or missing validation checks enable unauthorized access without valid user credentials.

Remote attackers can exploit this flaw through network connections to the VioStor NVR device, potentially assuming administrative privileges and accessing sensitive surveillance data and system controls without any knowledge of legitimate user accounts.

CVE-2025-52861: Path Traversal Vulnerability

CVE-2025-52861 is a path traversal vulnerability, which becomes exploitable once an attacker gains administrator-level access via the authentication bypass.

This vulnerability allows attackers to manipulate file path parameters, using techniques such as “../” sequences to access parent directories and sensitive system files.

Exploitation of this path traversal flaw can lead to unauthorized reading of arbitrary files, including configuration files with sensitive system parameters, user credential databases, and other critical data.

Immediate Patching Required

QNAP has addressed both vulnerabilities in QVR firmware version 5.1.6 build 20250621 and subsequent releases.

Users with legacy VioStor NVR systems running QVR 5.1.x firmware should upgrade to the patched version immediately to mitigate security risks.

The update process requires administrative access to the VioStor NVR web interface. Navigate to Control Panel > System Settings > Firmware Update to upload and install the latest firmware.

The vulnerabilities were discovered by security researcher Hou Liuyang from 360 Security, underscoring the importance of coordinated vulnerability disclosure in identifying and rectifying critical security flaws.

Network administrators should prioritize this update, as the combination of authentication bypass and path traversal vulnerabilities creates a high-risk scenario, potentially compromising the video surveillance infrastructure and allowing access to recorded footage or live feeds.