Security ID : QSA-25-29

Multiple Vulnerabilities in QVR Firmware for Legacy VioStor NVR


  • Release date : August 29, 2025

  • CVE identifier : CVE-2025-52856 | CVE-2025-52861

  • Affected products: QVR 5.1.x for legacy VioStor NVR

Severity

Important

Status

Resolved


Summary

Mutiple vulnerabilities has been reported to affect QVR firmware for legacy VioStor NVR:

  • CVE-2025-52856: A remote attacker can exploit the improper authentication vulnerability to compromise the security of the system.
  • CVE-2025-52861: If a remote attacker gains access to an administrator account, they can then exploit the path traversal vulnerability to read the contents of unexpected files or system data.

  

We have already fixed the vulnerabilities in the following version:

Affected Product Fixed Version
Legacy VioStor NVR: QVR 5.1.x

Legacy VioStor NVR: QVR 5.1.6 build 20250621 and later

Recommendation

To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.

Updating QVR Firmware on Legacy VioStor NVR

  1. Log in to your VioStor NVR as an administrator.
  2. Go to Control Panel > System Settings > Firmware Update.
  3. Select the Firmware Update tab.
  4. Click Browse... to upload the latest firmware file.
    Tip: Download the latest firmware file for your specific device from https://www.qnap.com/go/download.
  5. Click Update System.
    The system installs the update.

  

Attachment

Acknowledgements: 360 的安全研究员 侯留洋(houliuyang@360.cn)

Revision History:
V1.0 (August 29, 2025) - Published

사양 선택

      더 보기 적게 보기

      다른 국가/지역 사이트:

      open menu
      back to top