Critical RCE in QNAP TS‑453E Hyper Data Protector Plugin (CVE‑2025‑59389) Allows Remote Code Execution via SQL Injection
What It Is — A remote‑code‑execution (RCE) flaw in the Hyper Data Protector plugin of QNAP TS‑453E network‑attached storage devices. The vulnerability originates from an unsanitized query_original_file_size SQL call, permitting an attacker to run arbitrary commands with root privileges.
Exploitability — Network‑adjacent attackers can exploit the issue after bypassing the built‑in authentication; a proof‑of‑concept has been publicly released. CVSS 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) – High severity with full confidentiality, integrity, and availability impact.
Affected Products — QNAP TS‑453E NAS units running the Hyper Data Protector plugin prior to the March 2026 security update (QSA‑25‑48).
TPRM Impact — QNAP NAS devices are frequently deployed by third‑party vendors to store client backups, host shared files, or act as edge‑storage for SaaS platforms. Successful exploitation can lead to:
- Data exfiltration from downstream customers.
- Ransomware or malware staging that propagates through the supply chain.
- Service disruption for partners relying on the NAS for critical workloads.
Recommended Actions —
- Deploy QNAP’s March 2026 firmware update (QSA‑25‑48) immediately.
- Verify the Hyper Data Protector plugin is updated; disable it if not required.
- Conduct an inventory sweep to identify any TS‑453E devices within your vendor ecosystem.
- Segment NAS management interfaces from the internet and restrict lateral traffic.
- Review system logs for anomalous SQL queries or unexpected root‑level processes.