Skip to main content

Qsync Central EUVD-2025-17342

| CVE-2025-29892 HIGH
SQL Injection (CWE-89)
2025-06-06 security@qnapsecurity.com.tw
SQLi Qnap RCE Qsync Central
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:44 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
4.5.0.6
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17342
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
CVE Published
Jun 06, 2025 - 16:15 nvd
HIGH 8.8

DescriptionCVE.org

An SQL injection vulnerability has been reported to affect Qsync Central. If exploited, the vulnerability could allow remote attackers who have gained user access to execute unauthorized code or commands.

We have already fixed the vulnerability in the following version: Qsync Central 4.5.0.6 ( 2025/03/20 ) and later

AnalysisAI

SQL injection vulnerability in Qsync Central that allows authenticated remote attackers to execute arbitrary code or commands with high impact on confidentiality, integrity, and availability. The vulnerability affects all versions prior to Qsync Central 4.5.0.6 (released 2025/03/20), and while no active KEV or public PoC is explicitly referenced in the provided data, the high CVSS score of 8.8 combined with low attack complexity and low privilege requirements indicates this is a serious, readily exploitable vulnerability that should be prioritized for patching.

Technical ContextAI

The vulnerability is rooted in CWE-89 (SQL Injection), a classic input validation flaw where user-supplied data is improperly sanitized before being incorporated into SQL queries. In Qsync Central, this flaw allows attackers who have already obtained legitimate user credentials to inject malicious SQL commands through input fields or parameters. The vulnerability exists in the application's database query handling logic, likely in administrative, reporting, or configuration interfaces where SQL queries are dynamically constructed. Unlike unauthenticated SQL injection, this variant requires an attacker to first gain or possess valid user credentials (PR:L in CVSS), which limits the initial attack surface but still poses significant risk in multi-tenant or enterprise environments where account compromise is common.

RemediationAI

Immediate action: Upgrade Qsync Central to version 4.5.0.6 or later (released 2025/03/20). This is the vendor-confirmed fix and should be applied as soon as possible. For organizations unable to immediately patch, implement the following mitigations: (1) restrict network access to Qsync Central administrative interfaces using firewall rules or VPN-only access; (2) enforce strong password policies and multi-factor authentication for all Qsync Central user accounts to reduce the likelihood of credential compromise; (3) monitor database access logs and SQL query patterns for signs of injection attempts; (4) disable or restrict SQL query logging if not actively needed, as malicious queries may appear in logs; (5) implement database-level access controls limiting the permissions of the Qsync Central service account. Patch deployment is strongly recommended over workarounds due to the severity and ease of exploitation.

Share

EUVD-2025-17342 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy