CVE-2025-58463

Nov. 17, 2025, 3:40 p.m.

2.3
Low

Description

A relative path traversal vulnerability has been reported to affect Download Station. If a remote attacker gains an administrator account, they can then exploit the vulnerability to read the contents of unexpected files or system data. We have already fixed the vulnerability in the following versions: Download Station 5.10.0.305 ( 2025/09/16 ) and later Download Station 5.10.0.304 ( 2025/09/08 ) and later

Product(s) Impacted

Vendor Product Versions
Qnap
  • Download Station
  • Quts Hero
  • Qts
  • 5.10.0.291, *
  • h5.2.1.2929, h5.2.1.2940
  • 5.2.1.2930

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-23
Relative Path Traversal
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a qnap download_station 5.10.0.291 / / / / / / /
o qnap quts_hero h5.2.1.2929 build_20241025 / / / / / /
o qnap quts_hero h5.2.1.2940 build_20241105 / / / / / /
a qnap download_station / / / / / / / /
o qnap qts 5.2.1.2930 build_20241025 / / / / / /

References

https://www.qnap.com/en/security-advisory/qsa-25-37

Tags

security@qnapsecurity.com.tw
CWE-23
2025-11-07
CVE-2025-58463

CVSS Score

2.3 / 10

CVSS Data - 4.0

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Attack Requirements: NONE
  • Privileges Required: HIGH
  • User Interaction: NONE
  • Scope:
  • Confidentiality Impact: NONE
  • Integrity Impact: NONE
  • Availability Impact: NONE
  • Exploit Maturity: UNREPORTED

    • CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

    View Vector String

Timeline

Published: Nov. 7, 2025, 4:15 p.m.
Last Modified: Nov. 17, 2025, 3:40 p.m.

Status : Analyzed

CVE has had analysis completed and all data associations made.

More info

Source

security@qnapsecurity.com.tw

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.