QNAP has mounted seven zero-day vulnerabilities that security researchers exploited to hack QNAP network-attached storage (NAS) gadgets throughout the Pwn2Own Eire 2025 competitors.
The issues impression QNAP’s QTS and QuTS hero working techniques (CVE-2025-62847, CVE-2025-62848, CVE-2025-62849) and the corporate’s Hyper Data Protector (CVE-2025-59389), Malware Remover (CVE-2025-11837), and HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842) software program.
QNAP stated in advisories printed on Friday that the security bugs have been demonstrated at Pwn2Own by the Summoning Staff, DEVCORE, Staff DDOS, and a CyCraft expertise intern.
To patch these security flaws, QNAP recommends updating software program to the newest model and altering all passwords for elevated security.
QNAP has mounted all these vulnerabilities within the following software program variations:
- Hyper Data Protector 2.2.4.1 and later
- Malware Remover 6.6.8.20251023 and later
- HBS 3 Hybrid Backup Sync 26.2.0.938 and later
- QTS 5.2.7.3297 construct 20251024 and later
- QuTS hero h5.2.7.3297 construct 20251024 and later
- QuTS hero h5.3.1.3292 construct 20251024 and later
Customers who need to replace their OS to log in to QTS or QuTS Hero as an administrator ought to go to Management Panel > System > Firmware Replace and click on “Verify for Replace” below Dwell Replace.
To replace the weak apps, first log in to QTS or QuTS hero as an admin, then open the App Heart and click on the search button. Sort the title of the app you need to replace and press ENTER. Within the search outcomes, click on “Replace,” after which affirm the motion by clicking “OK” on the affirmation message that seems.
“To safe your system, we advocate repeatedly updating your system to the newest model to profit from vulnerability fixes. You may verify the product help standing to see the newest updates obtainable to your NAS mannequin,” QNAP stated.
One 12 months in the past, the NAS maker patched two different zero-days exploited throughout the Pwn2Own Eire 2024 contest: an OS command injection weak point (CVE-2024-50388) within the Hybrid Backup Sync catastrophe restoration and information backup answer, and an SQL injection (SQLi) vulnerability (CVE-2024-50387) in QNAP’s SMB Service.
In the present day, QNAP additionally launched QuMagie 2.7.0 with patches for a essential SQLi vulnerability (CVE-2025-52425) in its picture administration and sharing answer that may permit distant attackers to execute unauthorized code or instructions on weak gadgets.
As MCP (Mannequin Context Protocol) turns into the usual for connecting LLMs to instruments and information, security groups are shifting quick to maintain these new companies secure.
This free cheat sheet outlines 7 finest practices you can begin utilizing right this moment.
