Security ID : QSA-25-29
Multiple Vulnerabilities in QVR Firmware for Legacy VioStor NVR
Release date : August 29, 2025
CVE identifier : CVE-2025-52856 | CVE-2025-52861
Affected products: QVR 5.1.x for legacy VioStor NVR
Severity
Important
Status
Resolved
Summary
Mutiple vulnerabilities has been reported to affect QVR firmware for legacy VioStor NVR:
- CVE-2025-52856: A remote attacker can exploit the improper authentication vulnerability to compromise the security of the system.
- CVE-2025-52861: If a remote attacker gains access to an administrator account, they can then exploit the path traversal vulnerability to read the contents of unexpected files or system data.
We have already fixed the vulnerabilities in the following version:
| Affected Product | Fixed Version |
| Legacy VioStor NVR: QVR 5.1.x |
Legacy VioStor NVR: QVR 5.1.6 build 20250621 and later |
Recommendation
To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model.
Updating QVR Firmware on Legacy VioStor NVR
- Log in to your VioStor NVR as an administrator.
- Go to Control Panel > System Settings > Firmware Update.
- Select the Firmware Update tab.
- Click Browse... to upload the latest firmware file.
Tip: Download the latest firmware file for your specific device from https://www.qnap.com/go/download. - Click Update System.
The system installs the update.
Attachment
Acknowledgements: 360 的安全研究员 侯留洋(houliuyang@360.cn)
Revision History:
V1.0 (August 29, 2025) - Published
