Warning: Critical SQL Injection vulnerability in QuMagie allows RCE, Patch Immediately!

Image
Decorative image
Veröffentlicht : 10/11/2025

  • Last update: 10/11/2025

  • Affected software:: QuMagie 2.6.x

  • Type:

    → Improper Neutralisation of Special Elements used in an SQL Command ('SQL Injection') - CWE-89

  • CVE/CVSS
    → CVE-2025-52425: 9.5 CRITICAL (CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H)

Sources

https://nvd.nist.gov/vuln/detail/CVE-2025-52425

Risks

A critical-severity vulnerability (CVE-2025-52425) with a CVSS score of 9.5 exists in QNAP's QuMagie 2.6.x, a multimedia application for QNAP NAS.

Unpatched, affected instances are vulnerable to remote unauthorised code execution (RCE), with a possible high impact on the confidentiality, integrity, and availability of data and systems.

Currently, no information indicates that CVE-2025-52425 is actively exploited.

CVE-2025-52425 is patched in version 2.7.0 and later.

Description

CVE-2025-52425 is an 'Improper Neutralisation of Special Elements used in an SQL Command' type of vulnerability, also known as 'SQL Injection'. It could allow a remote attacker to execute unauthorised code or commands. The vendor offers no further technical details.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via:< https://ccb.belgium.be/cert/report-incident>.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://www.qnap.com/en/security-advisory/qsa-25-33