CVE-2025-44015
BaseFortify
Publication date: 2025-08-29
Last updated on: 2025-12-08
Assigner: QNAP Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qnap | hybriddesk_station | From 4.2.0 (inc) to 4.2.18 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-44015 is a command injection vulnerability in QNAP's HybridDesk Station version 4.2.x. It allows an attacker who has local network access to execute arbitrary commands on the affected system, potentially compromising it. The vulnerability has been fixed in version 4.2.18 and later. [1]
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker on the local network to run arbitrary commands on your system, which may lead to unauthorized control, data compromise, or disruption of services. It is recommended to update HybridDesk Station to version 4.2.18 or later to mitigate this risk. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update HybridDesk Station to version 4.2.18 or later. This can be done by logging into QTS or QuTS hero as an administrator, accessing the App Center, searching for "HybridDesk Station," and clicking the Update button if available. [1]