Description
A use of hard-coded password vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to gain unauthorized access.

We have already fixed the vulnerability in the following version:
Hyper Data Protector 2.3.1.455 and later
Published: 2026-03-12
Score: 6.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized access via hard‑coded password
Action: Apply Patch
AI Analysis

Impact

A hard‑coded password is present in QNAP Hyper Data Protector, classified as CWE‑259. The vulnerability allows remote attackers to authenticate using the embedded credentials and gain unauthorized access to the system. This can result in a compromise of confidentiality and integrity of the protected data, as the attacker can read, modify, or delete data with the authenticated session. The vendor confirms that the problem is a use of a hard‑coded password and that the remote attackers can then exploit it to gain unauthorized access.

Affected Systems

All releases of QNAP Hyper Data Protector prior to version 2.3.1.455 contain the vulnerable hard‑coded password. Versions 2.3.1.455 and later include the vendor‑supplied fix and are not affected.

Risk and Exploitability

The CVSS score of 6.6 indicates moderate severity, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is remote and requires network access to the Hyper Data Protector service; this inference is made based on the description that remote attackers can exploit the vulnerability to gain unauthorized access.

Generated by OpenCVE AI on March 17, 2026 at 15:43 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: Hyper Data Protector 2.3.1.455 and later

OpenCVE Recommended Actions

  • Apply the vendor patch to Hyper Data Protector version 2.3.1.455 or later
  • Verify that login with the default credentials no longer succeeds
  • Monitor access logs for attempted use of the default credentials

Generated by OpenCVE AI on March 17, 2026 at 15:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Qnap
Qnap hyper Data Protector
CPEs cpe:2.3:a:qnap:hyper_data_protector:*:*:*:*:*:*:*:*
Vendors & Products Qnap
Qnap hyper Data Protector
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems hyper Data Protector
Vendors & Products Qnap Systems
Qnap Systems hyper Data Protector

Thu, 12 Mar 2026 02:00:00 +0000

Type Values Removed Values Added
Description A use of hard-coded password vulnerability has been reported to affect Hyper Data Protector. The remote attackers can then exploit the vulnerability to gain unauthorized access. We have already fixed the vulnerability in the following version: Hyper Data Protector 2.3.1.455 and later
Title Hyper Data Protector
Weaknesses CWE-259
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

Qnap Hyper Data Protector
Qnap Systems Hyper Data Protector
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-03-12T13:16:43.495Z

Reserved: 2025-09-15T08:35:00.660Z

Link: CVE-2025-59388

cve-icon Vulnrichment

Updated: 2026-03-12T13:16:38.505Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-12T02:15:58.223

Modified: 2026-03-16T17:53:28.063

Link: CVE-2025-59388

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:36:16Z

Weaknesses