Authentication Bypass in QNAP TS‑453E Hyper Data Protector Plugin (CVE‑2025‑59388) Risks Network‑Adjacent Attackers
What It Is – A hard‑coded credential flaw in the Hyper Data Protector plug‑in for QNAP’s TS‑453E NAS allows an attacker on the same network segment to bypass authentication entirely. The issue resides in the Bareos configuration used by the plug‑in.
Exploitability – CVSS 6.3 (Moderate). The vulnerability is exploitable without any credentials (AV:A, PR:N). A proof‑of‑concept was demonstrated during the Pwn2Own competition, confirming practical exploitability in the wild.
Affected Products – QNAP TS‑453E network‑attached storage devices running the Hyper Data Protector plug‑in (Bareos).
TPRM Impact –
- Unauthorized access to backup repositories can expose sensitive corporate data stored on third‑party NAS devices.
- Compromise of a vendor‑managed NAS can serve as a foothold for lateral movement into the broader supply‑chain network.
- Failure to patch may breach contractual security clauses for data protection and continuity.
Recommended Actions –
- Deploy QNAP security advisory QSA‑25‑48 immediately to replace the vulnerable plug‑in.
- If immediate patching is not possible, disable the Hyper Data Protector plug‑in and restrict network access to the NAS (segmentation, firewall rules).
- Conduct a credential‑audit of all backup services and rotate any stored passwords.
- Verify integrity of existing backups and monitor for anomalous access patterns.
- Update third‑party risk registers to reflect the new vulnerability and reassess the risk rating of QNAP‑based storage services.