Hyper Data Protector
CVE-2025-59389
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
An SQL injection vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to execute unauthorized code or commands.
We have already fixed the vulnerability in the following versions: Hyper Data Protector 2.2.4.1 and later
AnalysisAI
QNAP Hyper Data Protector before 2.2.4.1 has an SQL injection vulnerability that allows remote attackers to execute unauthorized commands on the backup database. Combined with CVE-2025-59388 (hardcoded credentials), this creates a critical attack chain.
Technical ContextAI
The application fails to parameterize SQL queries (CWE-89), allowing injection of arbitrary SQL commands. In a backup management system, SQL injection can expose backup metadata, credentials for protected systems, and potentially enable OS command execution through SQL-specific features (e.g., xp_cmdshell, COPY TO PROGRAM).
RemediationAI
Update to Hyper Data Protector 2.2.4.1 or later. Address both this CVE and CVE-2025-59388 (hardcoded creds) together.
More in Hyper Data Protector
View allSame weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today