Search criteria
3 vulnerabilities found for hybriddesk_station by qnap
FKIE_CVE-2025-44015
Vulnerability from fkie_nvd - Published: 2025-08-29 18:15 - Updated: 2025-12-08 15:32
Severity ?
Summary
A command injection vulnerability has been reported to affect HybridDesk Station. If an attacker gains local network access, they can then exploit the vulnerability to execute arbitrary commands.
We have already fixed the vulnerability in the following version:
HybridDesk Station 4.2.18 and later
References
| URL | Tags | ||
|---|---|---|---|
| security@qnapsecurity.com.tw | https://www.qnap.com/en/security-advisory/qsa-25-20 | Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| qnap | hybriddesk_station | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:qnap:hybriddesk_station:*:*:*:*:*:*:*:*",
"matchCriteriaId": "ED2FB003-A62D-48C2-9D3F-1C041CE635AC",
"versionEndExcluding": "4.2.18",
"versionStartIncluding": "4.2.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A command injection vulnerability has been reported to affect HybridDesk Station. If an attacker gains local network access, they can then exploit the vulnerability to execute arbitrary commands.\n\nWe have already fixed the vulnerability in the following version:\nHybridDesk Station 4.2.18 and later"
}
],
"id": "CVE-2025-44015",
"lastModified": "2025-12-08T15:32:54.797",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.5,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
],
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 2.3,
"baseSeverity": "LOW",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security@qnapsecurity.com.tw",
"type": "Secondary"
}
]
},
"published": "2025-08-29T18:15:42.097",
"references": [
{
"source": "security@qnapsecurity.com.tw",
"tags": [
"Vendor Advisory"
],
"url": "https://www.qnap.com/en/security-advisory/qsa-25-20"
}
],
"sourceIdentifier": "security@qnapsecurity.com.tw",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-77"
},
{
"lang": "en",
"value": "CWE-78"
}
],
"source": "security@qnapsecurity.com.tw",
"type": "Primary"
}
]
}
CVE-2025-44015 (GCVE-0-2025-44015)
Vulnerability from cvelistv5 – Published: 2025-08-29 17:17 – Updated: 2025-08-29 18:21
VLAI?
Summary
A command injection vulnerability has been reported to affect HybridDesk Station. If an attacker gains local network access, they can then exploit the vulnerability to execute arbitrary commands.
We have already fixed the vulnerability in the following version:
HybridDesk Station 4.2.18 and later
Severity ?
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | HybridDesk Station |
Affected:
4.2.x , < 4.2.18
(custom)
|
Credits
Dohwan Kim, Junwoo Kwon (neko_hat, wnsdn1583 from Chung-Ang Univ.)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-44015",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-29T18:16:19.071501Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T18:21:41.548Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HybridDesk Station",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.2.18",
"status": "affected",
"version": "4.2.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dohwan Kim, Junwoo Kwon (neko_hat, wnsdn1583 from Chung-Ang Univ.)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A command injection vulnerability has been reported to affect HybridDesk Station. If an attacker gains local network access, they can then exploit the vulnerability to execute arbitrary commands.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following version:\u003cbr\u003eHybridDesk Station 4.2.18 and later\u003cbr\u003e"
}
],
"value": "A command injection vulnerability has been reported to affect HybridDesk Station. If an attacker gains local network access, they can then exploit the vulnerability to execute arbitrary commands.\n\nWe have already fixed the vulnerability in the following version:\nHybridDesk Station 4.2.18 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-78",
"description": "CWE-78",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T17:17:15.478Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-25-20"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following version:\u003cbr\u003eHybridDesk Station 4.2.18 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following version:\nHybridDesk Station 4.2.18 and later"
}
],
"source": {
"advisory": "QSA-25-20",
"discovery": "EXTERNAL"
},
"title": "HybridDesk Station",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2025-44015",
"datePublished": "2025-08-29T17:17:15.478Z",
"dateReserved": "2025-04-21T07:56:46.494Z",
"dateUpdated": "2025-08-29T18:21:41.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-44015 (GCVE-0-2025-44015)
Vulnerability from nvd – Published: 2025-08-29 17:17 – Updated: 2025-08-29 18:21
VLAI?
Summary
A command injection vulnerability has been reported to affect HybridDesk Station. If an attacker gains local network access, they can then exploit the vulnerability to execute arbitrary commands.
We have already fixed the vulnerability in the following version:
HybridDesk Station 4.2.18 and later
Severity ?
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| QNAP Systems Inc. | HybridDesk Station |
Affected:
4.2.x , < 4.2.18
(custom)
|
Credits
Dohwan Kim, Junwoo Kwon (neko_hat, wnsdn1583 from Chung-Ang Univ.)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-44015",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-08-29T18:16:19.071501Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T18:21:41.548Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "HybridDesk Station",
"vendor": "QNAP Systems Inc.",
"versions": [
{
"lessThan": "4.2.18",
"status": "affected",
"version": "4.2.x",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dohwan Kim, Junwoo Kwon (neko_hat, wnsdn1583 from Chung-Ang Univ.)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A command injection vulnerability has been reported to affect HybridDesk Station. If an attacker gains local network access, they can then exploit the vulnerability to execute arbitrary commands.\u003cbr\u003e\u003cbr\u003eWe have already fixed the vulnerability in the following version:\u003cbr\u003eHybridDesk Station 4.2.18 and later\u003cbr\u003e"
}
],
"value": "A command injection vulnerability has been reported to affect HybridDesk Station. If an attacker gains local network access, they can then exploit the vulnerability to execute arbitrary commands.\n\nWe have already fixed the vulnerability in the following version:\nHybridDesk Station 4.2.18 and later"
}
],
"impacts": [
{
"capecId": "CAPEC-88",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-88"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 2.3,
"baseSeverity": "LOW",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77",
"lang": "en",
"type": "CWE"
},
{
"cweId": "CWE-78",
"description": "CWE-78",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-08-29T17:17:15.478Z",
"orgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"shortName": "qnap"
},
"references": [
{
"url": "https://www.qnap.com/en/security-advisory/qsa-25-20"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "We have already fixed the vulnerability in the following version:\u003cbr\u003eHybridDesk Station 4.2.18 and later\u003cbr\u003e"
}
],
"value": "We have already fixed the vulnerability in the following version:\nHybridDesk Station 4.2.18 and later"
}
],
"source": {
"advisory": "QSA-25-20",
"discovery": "EXTERNAL"
},
"title": "HybridDesk Station",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f",
"assignerShortName": "qnap",
"cveId": "CVE-2025-44015",
"datePublished": "2025-08-29T17:17:15.478Z",
"dateReserved": "2025-04-21T07:56:46.494Z",
"dateUpdated": "2025-08-29T18:21:41.548Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}