CVE-2025-59384
8.10.18%
QNAP Qfiling: Organizing Your Secrets for Public Access
Amit Schendel
Senior Security ResearcherJan 6, 2026·6 min read·5 visits
PoC Available
Executive Summary (TL;DR)
QNAP's Qfiling application, designed to automate file management, failed to sanitize input paths. This allows unauthenticated remote attackers to traverse the filesystem (via `../`) and read sensitive files like `/etc/shadow`. Patch immediately to version 3.13.1.
A critical unauthenticated path traversal vulnerability in QNAP Qfiling allows remote attackers to read arbitrary system files, turning a handy file-organizing tool into a data exfiltration pipeline.
Official Patches
Technical Appendix
CVSS Score
8.1/ 10
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:UEPSS Probability
0.18%
Top 60% most exploited
Affected Systems
QNAP Qfiling < 3.13.1
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
Qfiling QNAP | < 3.13.1 | 3.13.1 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-22 |
| Attack Vector | Network (CVSS: AV:N) |
| Privileges Required | None (CVSS: PR:N) |
| CVSS v4.0 | 8.1 (High) |
| EPSS Score | 0.18% |
| Impact | High (Confidentiality) |
MITRE ATT&CK Mapping
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Known Exploits & Detection
Vulnerability Timeline
Internal discovery of vulnerability
2025-12-29
CVE-2025-59384 Assigned
2026-01-02
QNAP releases QSA-25-54 and Patch
2026-01-03