The vulnerability affects QVR firmware version 5.1.x running on legacy VioStor NVR
Key Takeaways
1. Two vulnerabilities allow remote authentication bypass and unauthorized file access in QNAP VioStor NVR systems.
2. Upgrade to QVR firmware 5.1.6 build 20250621.
3. Complete system compromise possible, exposing surveillance data and controls.
CVE-2025-52856 represents the most critical component of this security advisory, classified as an improper authentication vulnerability with significant implications for system security.
This flaw allows remote attackers to circumvent the normal authentication process entirely, effectively bypassing login credentials, multi-factor authentication, and other security controls implemented in the QVR firmware.
The vulnerability operates at the application layer, where flawed authentication logic or missing validation checks enable unauthorized access without requiring valid user credentials.
The improper authentication mechanism creates a direct pathway for attackers to gain initial system access, making this vulnerability particularly dangerous as it serves as the entry point for further exploitation.
Remote attackers can exploit this flaw through network connections to the VioStor NVR device, potentially allowing them to assume administrative privileges and access sensitive surveillance data, configuration settings, and system controls without any prior knowledge of legitimate user accounts.
CVE-2025-52861 is a path traversal vulnerability, also known as a directory traversal attack, that becomes exploitable once an attacker has gained administrator-level access through the authentication bypass.
This vulnerability allows malicious actors to navigate outside of restricted directory boundaries by manipulating file path parameters, typically using techniques such as “../” sequences to access parent directories and sensitive system files.
When successfully exploited, this path traversal flaw enables attackers to read arbitrary files beyond their intended access scope, including configuration files containing sensitive system parameters, user credential databases, cryptographic keys, and other critical system data.
| CVE ID | Title | Severity |
| CVE-2025-52856 | Improper Authentication Vulnerability in QVR Firmware | Important |
| CVE-2025-52861 | Path Traversal Vulnerability in QVR Firmware | Important |
QNAP has resolved both vulnerabilities in QVR firmware version 5.1.6 build 20250621 and later releases.
The company strongly recommends that all users running legacy VioStor NVR systems with QVR 5.1.x firmware immediately upgrade to the patched version to mitigate these security risks.
The update process requires administrative access to the VioStor NVR web interface, where users must navigate to Control Panel > System Settings > Firmware Update to upload and install the latest firmware file.
The vulnerabilities were discovered and reported by security researcher Hou Liuyang from 360 Security, highlighting the importance of coordinated vulnerability disclosure in identifying and addressing critical security flaws.
Network administrators should prioritize this update as the combination of authentication bypass and path traversal vulnerabilities creates a high-risk scenario where attackers could gain complete control over affected NVR systems, potentially compromising video surveillance infrastructure and accessing recorded footage or live camera feeds.
Find this Story Interesting! Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post QNAP Vulnerability Let Attackers Bypass Authentication and Access Unauthorized Files appeared first on Cyber Security News.
Car dashcams have their uses. They can come in handy for recording accidents when nobody…
Tickets for PAX Aus 2026 are available today, with ‘Early Bird’ prices on offer for…
After making his gaming debut in Clair Obscur: Expedition 33, Charlie Cox is once again…
Switch 2 owners, check out this super low price on a first party Switch 2…
Ever since Nvidia announced DLSS 5 last week, the reaction has been, well, controversial. And…
This website uses cookies.