Blog

QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own

3 hours ago
2 minutes read

QNAP has fixed seven zero-day vulnerabilities that security researchers exploited to hack QNAP network-attached storage (NAS) devices during the Pwn2Own Ireland 2025 competition.

The flaws impact QNAP’s QTS and QuTS hero operating systems (CVE-2025-62847, CVE-2025-62848, CVE-2025-62849) and the company’s Hyper Data Protector (CVE-2025-59389), Malware Remover (CVE-2025-11837), and HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842) software.

QNAP said in advisories published on Friday that the security bugs were demonstrated at Pwn2Own by the Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern.

Wiz

To patch these security flaws, QNAP recommends updating software to the latest version and changing all passwords for increased security.

QNAP has fixed all these vulnerabilities in the following software versions:

  • Hyper Data Protector 2.2.4.1 and later

  • Malware Remover 6.6.8.20251023 and later

  • HBS 3 Hybrid Backup Sync 26.2.0.938 and later

  • QTS 5.2.7.3297 build 20251024 and later

  • QuTS hero h5.2.7.3297 build 20251024 and later

  • QuTS hero h5.3.1.3292 build 20251024 and later

Users who want to update their OS to log in to QTS or QuTS Hero as an administrator should go to Control Panel > System > Firmware Update and click “Check for Update” under Live Update.

To update the vulnerable apps, first log in to QTS or QuTS hero as an admin, then open the App Center and click the search button. Type the name of the app you want to update and press ENTER. In the search results, click “Update,” and then confirm the action by clicking “OK” on the confirmation message that appears.

“To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model,” QNAP said.

One year ago, the NAS maker patched two other zero-days exploited during the Pwn2Own Ireland 2024 contest: an OS command injection weakness (CVE-2024-50388) in the Hybrid Backup Sync disaster recovery and data backup solution, and an SQL injection (SQLi) vulnerability (CVE-2024-50387) in QNAP’s SMB Service.

Today, QNAP also released QuMagie 2.7.0 with patches for a critical SQLi vulnerability (CVE-2025-52425) in its photo management and sharing solution that can allow remote attackers to execute unauthorized code or commands on vulnerable devices.


Wiz

It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.

Learn how top leaders are turning investment into measurable impact.


Source link

Related posts:

  1. Citrix fixes critical NetScaler RCE flaw exploited in zero-day attacks
  2. New TP-Link zero-day surfaces as CISA warns other flaws are exploited
  3. WhatsApp patches vulnerability exploited in zero-day attacks
  4. Samsung patches actively exploited zero-day reported by WhatsApp
See also  Terramaster Just Released a USB4 NVMe SSD Enclosure
Tags
3 hours ago
2 minutes read
Back to top button
close