Full Report
QNAP has fixed seven zero-day vulnerabilities that security researchers exploited to hack QNAP network-attached storage (NAS) devices during the Pwn2Own Ireland 2025 competition. [...]
Analysis Summary
# Vulnerability: Seven Zero-Day Flaws Patched in QNAP NAS/Software Following Pwn2Own 2025 Exploitation
## CVE Details
- CVE ID: CVE-2025-62847, CVE-2025-62848, CVE-2025-62849, CVE-2025-59389, CVE-2025-11837, CVE-2025-62840, CVE-2025-62842 (7 distinct CVEs detailed below)
- CVSS Score: Not specified in source.
- CWE: Not specified in source for the seven Pwn2Own vulnerabilities. (Note: CVE-2025-52425 is mentioned separately as an SQLi.)
## Affected Systems
- Products: QNAP QTS OS, QuTS hero OS, Hyper Data Protector, Malware Remover, HBS 3 Hybrid Backup Sync.
- Versions: Specific vulnerable versions were not listed, but the patches apply to previous versions of the affected software/OS.
- Configurations: QNAP NAS devices running the listed operating systems and applications.
## Vulnerability Description
Seven zero-day vulnerabilities were discovered and successfully exploited by security researchers (Summoning Team, DEVCORE, Team DDOS, and a CyCraft intern) during the Pwn2Own Ireland 2025 competition against QNAP NAS devices. These flaws span across the QTS/QuTS hero operating systems and several QNAP applications (Hyper Data Protector, Malware Remover, and HBS 3). The exact technical nature of the seven flaws is not detailed, only their association with the exploited OS/applications.
**Additionally, one related critical flaw was patched:**
* **CVE-2025-52425:** A critical SQL Injection (SQLi) vulnerability in QuMagie 2.7.0, allowing remote attackers to execute unauthorized code or commands.
## Exploitation
- Status: **Exploited in the wild** (specifically, demonstrated/exploited at Pwn2Own Ireland 2025).
- Complexity: Implied to be significant due to successful exploitation in a competition setting.
- Attack Vector: Likely network or local access required depending on the specific flaw, resulting in device compromise.
## Impact
- Confidentiality: High (Implied by successful exploitation of OS/Applications).
- Integrity: High (Implied by successful exploitation resulting in device hacking).
- Availability: High (Implied by successful exploitation/takeover).
## Remediation
### Patches
Users must update their operating systems and related applications to the following versions or later:
* **Hyper Data Protector:** 2.2.4.1 and later
* **Malware Remover:** 6.6.8.20251023 and later
* **HBS 3 Hybrid Backup Sync:** 26.2.0.938 and later
* **QTS:** 5.2.7.3297 build 20251024 and later
* **QuTS hero (h5.2, h5.3):** Builds 20251024 or later (e.g., h5.2.7.3297 build 20251024 and later, or h5.3.1.3292 build 20251024 and later)
* **QuMagie:** 2.7.0 and later (for CVE-2025-52425)
### Workarounds
1. Change all passwords for increased security.
2. Regularly update the system to the latest version.
## Detection
- **Indicators of Compromise:** Not specified for the 7 new CVEs. Historical context suggests looking for unauthorized file access, configuration changes, or unexpected process execution indicative of system compromise.
- **Detection methods and tools:** Use standard security monitoring tools to monitor QNAP device logs for anomalies, specifically around areas related to the vulnerable applications Post-patch, monitor for logs related to systems running older versions.
## References
- Vendor Advisory: QNAP Security Advisory listings (Implied by context).
- Relevant links:
- [QNAP Product Support Status](https://www.qnap.com/en/product/eol.php)