Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: Critical SQL Injection vulnerability in QuMagie allows RCE, Patch Immediately!
Image
Published : 10/11/2025
Last update: 10/11/2025
Affected software:: QuMagie 2.6.x
Type:
→ Improper Neutralisation of Special Elements used in an SQL Command ('SQL Injection') - CWE-89CVE/CVSS
→ CVE-2025-52425: 9.5 CRITICAL (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)
Sources
https://nvd.nist.gov/vuln/detail/CVE-2025-52425
Risks
A critical-severity vulnerability (CVE-2025-52425) with a CVSS score of 9.5 exists in QNAP's QuMagie 2.6.x, a multimedia application for QNAP NAS.
Unpatched, affected instances are vulnerable to remote unauthorised code execution (RCE), with a possible high impact on the confidentiality, integrity, and availability of data and systems.
Currently, no information indicates that CVE-2025-52425 is actively exploited.
CVE-2025-52425 is patched in version 2.7.0 and later.
Description
CVE-2025-52425 is an 'Improper Neutralisation of Special Elements used in an SQL Command' type of vulnerability, also known as 'SQL Injection'. It could allow a remote attacker to execute unauthorised code or commands. The vendor offers no further technical details.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via:< https://ccb.belgium.be/cert/report-incident>.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.