August 29, 2025
QNAP has released a security advisory addressing multiple vulnerabilities affecting the QVR firmware on legacy VioStor NVR devices. The flaws include an improper authentication bug and a path traversal issue, both of which could allow attackers to compromise critical system functions.
The first issue, tracked as CVE-2025-52856 and rated Critical (CVSSv4 9.3), is an improper authentication vulnerability. According to QNAP, “A remote attacker can exploit the improper authentication vulnerability to compromise the security of the system.” This means that a remote attacker could bypass authentication safeguards, potentially gaining unauthorized access to the device without needing valid credentials. Exploitation of this flaw could result in complete compromise of the affected system, making it one of the most severe risks identified in the advisory.
The second flaw, CVE-2025-52861, carries a CVSSv4 score of 7.0 and is categorized as a path traversal vulnerability. As QNAP explains, “If a remote attacker gains access to an administrator account, they can then exploit the path traversal vulnerability to read the contents of unexpected files or system data.” This vulnerability requires the attacker to first gain administrator access, but once achieved, it could allow unauthorized exposure of sensitive files or configuration data, further escalating the impact of the intrusion.
QNAP confirmed that the vulnerabilities have been addressed in the following release:
| Affected Product | Fixed Version |
| Legacy VioStor NVR: QVR 5.1.x | Legacy VioStor NVR: QVR 5.1.6 build 20250621 and later |
QNAP strongly advises all users to update their systems to the latest firmware to mitigate risk. The advisory stresses: “To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes.”
Steps to update QVR firmware on legacy VioStor NVR:
- Log in as an administrator.
- Go to Control Panel > System Settings > Firmware Update.
- Under the Firmware Update tab, click Browse… to upload the new firmware file.
- Download the latest firmware for your device from QNAP’s official site.
- Click Update System to install.
Users should also check QNAP’s product support status page to confirm whether their device is still supported.
Related Posts:
- Critical ADOdb Flaw (CVE-2025-54119, CVSS 10.0) in SQLite3 Driver Allows SQL Injection
- QNAP Addresses High Severity Vulnerabilities in License Center and Operating Systems
- QNAP detects a large number of ransomware attacks
- Critical (CVSS 9.8): IBM Tivoli Monitoring Flaw Risks Remote Code Execution
- Oracle Discloses Second Hack (Client Login Data)
