Seven QNAP Zero-Day Vulnerabilities Exploited at Pwn2Own 2025 Now Patched
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
QNAP has addressed seven critical zero-day vulnerabilities<\/a> in its network-attached storage (NAS) operating systems, following their successful exploitation by security researchers at Pwn2Own Ireland 2025.<\/p>\n These flaws, identified as CVE-2025-62847, CVE-2025-62848, CVE-2025-62849, and associated ZDI canonical entries ZDI-CAN-28353, ZDI-CAN-28435, ZDI-CAN-28436, enable remote code execution (RCE) and privilege escalation attacks against QTS 5.2.x, QuTS hero h5.2.x, and QuTS hero h5.3.x versions.<\/p>\n The exploits, demonstrated in a controlled environment, highlight kernel-level weaknesses and web interface flaws that could allow unauthenticated attackers to compromise device integrity and exfiltrate stored data.\u200b<\/p>\n At Pwn2Own Ireland 2025<\/a>, held in Cork from October 20-22, teams including Summoning Team, DEVCORE, Team DDOS, and a CyCraft intern chained these zero-days to bypass authentication and achieve full system takeover on QNAP NAS devices.<\/p>\n The core operating system vulnerabilities involve improper input validation leading to buffer overflows and use-after-free errors in CGI handlers, facilitating arbitrary command injection without user privileges.<\/p>\n For instance, attackers exploited stack-based overflows in the quick.cgi component to execute shell commands on uninitialized devices, extending to initialized systems via chained privilege escalations.<\/p>\n These techniques mirror historical QNAP issues, such as heap overflows in cgi.cgi, but escalate to zero-click RCE in modern firmware. Event organizers from the Zero Day Initiative (ZDI) awarded bounties exceeding $150,000 for the NAS category, contributing to a total of $792,750 across 56 unique hacks.\u200b<\/p>\n QNAP resolved these issues<\/a> in firmware updates released on October 24, 2025, targeting the affected OS branches with mitigations for memory corruption and authentication bypass vectors.<\/p>\n Specifically, QTS 5.2.x users must upgrade to version 5.2.7.3297 build 20251024 or later, which includes hardened input sanitization and kernel patches to prevent overflow exploits.<\/p>\n QuTS hero h5.2.x follows the same build, while h5.3.x requires 5.3.1.3292 build 20251024 or later, addressing ZFS-specific integration flaws that amplified RCE risks in hybrid storage setups.<\/p>\n Although CVSS scores remain pending for some entries, the zero-day status and Pwn2Own context classify them as critical, with potential for denial-of-service (DoS)<\/a> as a precursor to data compromise.<\/p>\n Administrators can deploy updates via the Control Panel > System > Firmware Update interface, enabling Live Update for automatic detection and installation. Manual downloads from QNAP\u2019s Download Center support offline environments, ensuring compatibility checks against the product\u2019s EOL status page.\u200b<\/p>\n To counter residual risks, QNAP advises immediate password rotation and segmentation of NAS traffic using VLANs to limit lateral movement post-exploit.<\/p>\n The vulnerabilities extend beyond the core OS to integrated apps like HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842), where path traversal allows unauthorized backup access, and Malware Remover (CVE-2025-11837), which is ironically vulnerable to command injection in its scanning engine.<\/p>\n In enterprise deployments, these flaws could enable supply-chain attacks, as NAS devices often serve as centralized repositories for sensitive files.<\/p>\n Security teams should audit logs for anomalous CGI requests and integrate tools like intrusion detection systems (IDS)<\/a> for ongoing monitoring.<\/p>\n This Pwn2Own outcome underscores the efficacy of bug bounties in preempting wild exploits, urging all QNAP users to prioritize firmware hygiene amid rising NAS-targeted threats.\u200b<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Seven QNAP Zero-Day Vulnerabilities Exploited at Pwn2Own 2025 Now Patched<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nQNAP Zero-Day Vulnerabilities Exploited<\/strong><\/h2>\n
Mitigations<\/strong><\/h2>\n