ZDI 2026-03-16

ZDI-26-201: (Pwn2Own) QNAP TS-453E Hyper Data Protector Plugin Hard-Coded Credentials Authentication Bypass Vulnerability

CVE-2025-59388

Machine-generated analysis · WAYSCloud LLM

The advisory notes a hard-coded credentials vulnerability in the QNAP TS-453E Hyper Data Protector plugin that allows authentication bypass without requiring user interaction.

Context

The QNAP TS-453E device, specifically the Hyper Data Protector plugin, is affected by a vulnerability. The issue is an authentication bypass due to hard-coded credentials. The advisory states that no authentication is required to exploit the flaw. Worth noting, the CVSS score is rated at 6.3, indicating a moderate severity level.

Operator considerations

Check: Verify if the Hyper Data Protector plugin is installed on QNAP TS-453E devices.

From Zero Day Initiative ↗

This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of QNAP TS-453E devices. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.3. The following CVEs are assigned: CVE-2025-59388.

Read the full advisory on ZDI →