QNAP Systems Releases Critical Security Patches for Legacy VioStor NVR Systems

In a significant move to bolster the security of its legacy VioStor Network Video Recorder (NVR) systems, QNAP Systems has announced the release of essential security patches aimed at addressing multiple vulnerabilities affecting QVR firmware. On August 29, 2025, the company disclosed two critical security flaws, urging users to update their systems immediately to mitigate potential security breaches.

Dual Vulnerabilities Pose Significant Security Risks

The security advisory issued by QNAP highlights two distinct vulnerabilities that could severely compromise the integrity of legacy VioStor NVR systems running QVR 5.1.x firmware.

CVE-2025-52856: Improper Authentication Flaw

The first vulnerability, tracked as CVE-2025-52856, is an improper authentication flaw that allows remote attackers to bypass security measures without the need for proper credentials. This critical weakness poses a significant risk, as unauthorized individuals could gain access to sensitive surveillance data and system controls, potentially leading to severe privacy violations and data breaches.

CVE-2025-52861: Path Traversal Vulnerability

The second vulnerability, identified as CVE-2025-52861, presents a path traversal security gap that becomes exploitable once an attacker gains administrator-level access. Through this flaw, malicious actors can read unexpected files and access sensitive system data beyond their intended permissions. Although this vulnerability requires prior administrative access, it significantly amplifies the potential damage from successful attacks.

Key Characteristics of the Vulnerabilities

• CVE-2025-52856: Remote authentication bypass allowing unauthorized system access.
• CVE-2025-52861: Path traversal vulnerability enabling unauthorized file access.
• Severity Level: Both vulnerabilities are classified as “Important,” indicating a substantial risk to affected systems.
• Discovery Credit: Security researcher Hou Liuyang from 360 Security.
• Impact Scope: Legacy VioStor NVR systems running QVR 5.1.x firmware.

Both vulnerabilities have been marked with an “Important” severity level, underscoring the substantial risk they pose to affected systems. The discovery and reporting of these flaws highlight the critical role of collaborative security research in identifying vulnerabilities that could jeopardize system integrity.

QNAP’s Swift Response to Security Concerns

In response to these alarming security issues, QNAP has acted swiftly by releasing updated firmware that addresses both vulnerabilities. Users of legacy VioStor NVR systems running QVR 5.1.x are encouraged to upgrade to QVR 5.1.6 build 20250621 or later versions to eliminate these security risks. The company has marked the vulnerabilities as “Resolved,” indicating that comprehensive fixes are now available through the latest firmware updates.

This rapid response illustrates QNAP’s commitment to maintaining the security of their surveillance infrastructure products, even for legacy systems that may not receive regular feature updates. Users can verify their current firmware version and download the appropriate updates directly from QNAP’s official download portal.

Critical Update Process and Security Recommendations

QNAP provides detailed instructions for updating affected systems, emphasizing the straightforward nature of the patch installation process. Administrators can access the firmware update functionality through the Control Panel’s System Settings menu, where they can upload and install the latest security patches.

Update Process Steps

1. Access the Control Panel: Navigate to the System Settings menu.
2. Download Firmware: Obtain the specific firmware file for your device model from QNAP’s official website.
3. Upload Firmware: Use the firmware update interface to upload the downloaded file.
4. Automatic Installation: The system will automatically install the security patches, providing immediate protection against the identified vulnerabilities.

QNAP strongly recommends that users establish regular update schedules to ensure their systems receive the latest security patches promptly. Additionally, the company advises checking their product support status page to monitor ongoing support availability for specific NVR models and to stay informed about future security updates and system recommendations.

Conclusion

The recent security vulnerabilities affecting QNAP’s legacy VioStor NVR systems underscore the importance of proactive security measures in the realm of surveillance technology. With the release of critical patches and a clear update process, QNAP demonstrates its commitment to safeguarding user data and maintaining the integrity of its systems. Users are urged to take immediate action to protect their surveillance infrastructure and ensure the security of sensitive information.

For ongoing updates and information, follow QNAP on their official channels and stay informed about the latest security developments.