QNAP Qfiling: Organizing Your Secrets for Public Access
Vulnerability ID: CVE-2025-59384
CVSS Score: 8.1
Published: 2026-01-02
A critical unauthenticated path traversal vulnerability in QNAP Qfiling allows remote attackers to read arbitrary system files, turning a handy file-organizing tool into a data exfiltration pipeline.
TL;DR
QNAP's Qfiling application, designed to automate file management, failed to sanitize input paths. This allows unauthenticated remote attackers to traverse the filesystem (via ../) and read sensitive files like /etc/shadow. Patch immediately to version 3.13.1.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-22
- Attack Vector: Network (CVSS: AV:N)
- Privileges Required: None (CVSS: PR:N)
- CVSS v4.0: 8.1 (High)
- EPSS Score: 0.18%
- Impact: High (Confidentiality)
Affected Systems
- QNAP Qfiling < 3.13.1
-
Qfiling: < 3.13.1 (Fixed in:
3.13.1)
Exploit Details
- Hypothetical PoC: Standard curl-based path traversal: curl --path-as-is http://target/qfiling/api?file=../../etc/shadow
Mitigation Strategies
- Input Validation: Implement strict allowlisting for file paths.
- Authentication: Ensure all API endpoints verify session tokens.
- Network Segmentation: Remove NAS devices from public internet exposure.
Remediation Steps:
- Log in to QTS/QuTS hero as administrator.
- Open the App Center.
- Navigate to 'My Apps' and locate Qfiling.
- Click 'Update' to install version 3.13.1+.
References
Read the full report for CVE-2025-59384 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)