The vulnerability is an improper certificate validation flaw in QNAP Video Station. According to the vendor description, an attacker who has already gained local network access and an administrator account can exploit this weakness to compromise the security of the system. This results in the attacker achieving full control over the affected device and potentially accessing or tampering with data stored or streamed by Video Station.

The affected product is QNAP Systems Inc. Video Station. The official solution notes that versions before 5.8.2 are vulnerable, with the issue fixed in Video Station 5.8.2 and later. No specific version ranges are given beyond that, so any release older than 5.8.2 should be considered at risk. The Common Platform Enumeration entry is cpe:2.3:a:qnap:video_station:*:*:*:*:*:*:*:*.

The CVSS score is 0.1, indicating a very low severity impact, and the EPSS score is quoted as less than 1%, underscoring the low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. Because the exploit requires local network presence and an administrator account, the attack vector is inferred to be local. The low CVSS and EPSS, combined with the prerequisite of administrative credentials, suggest that while the threat is real, its practical risk is minimal for well‑secured environments. However, any administrative user exposed on the local network creates a potential attack surface.