CVE-2025-59387

An SQL injection vulnerability has been discovered in MARS (Multi-Application Recovery Service) by QNAP. The flaw exists due to insufficient sanitization of user-supplied input before it is used in SQL queries. This allows an attacker to inject malicious SQL statements, leading to unauthorized code execution.

The vulnerability is remotely exploitable. An attacker can send specially crafted HTTP requests to the targeted MARS instance without requiring authentication. By manipulating input parameters, the attacker can trigger execution of arbitrary SQL commands, which may then be leveraged to execute system commands on the underlying server.

Successful exploitation enables an attacker to execute unauthorized code or commands on the affected system. This could result in full compromise of confidentiality, integrity, and availability of the MARS service and potentially the host QNAP device. The impact is critical as it allows remote unauthenticated attackers to gain control.

QNAP has addressed this issue in MARS version 1.2.1.1686 and later. Users are advised to update to the latest version immediately. Note that starting from version 1.3.x, the application has been renamed to HDP for Wordpress (MARS), but the fix covers all affected builds. No workarounds have been provided; updating is the recommended remediation [1].