QNAP has mounted seven zero-day vulnerabilities that safety researchers exploited to hack QNAP network-attached storage (NAS) units through the Pwn2Own Eire 2025 competitors.
The failings affect QNAP’s QTS and QuTS hero working methods (CVE-2025-62847, CVE-2025-62848, CVE-2025-62849) and the corporate’s Hyper Knowledge Protector (CVE-2025-59389), Malware Remover (CVE-2025-11837), and HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842) software program.
QNAP mentioned in advisories printed on Friday that the safety bugs had been demonstrated at Pwn2Own by the Summoning Staff, DEVCORE, Staff DDOS, and a CyCraft expertise intern.
To patch these safety flaws, QNAP recommends updating software program to the most recent model and altering all passwords for elevated safety.
QNAP has mounted all these vulnerabilities within the following software program variations:
- Hyper Knowledge Protector 2.2.4.1 and later
- Malware Remover 6.6.8.20251023 and later
- HBS 3 Hybrid Backup Sync 26.2.0.938 and later
- QTS 5.2.7.3297 construct 20251024 and later
- QuTS hero h5.2.7.3297 construct 20251024 and later
- QuTS hero h5.3.1.3292 construct 20251024 and later
Customers who wish to replace their OS to log in to QTS or QuTS Hero as an administrator ought to go to Management Panel > System > Firmware Replace and click on “Verify for Replace” beneath Stay Replace.
To replace the weak apps, first log in to QTS or QuTS hero as an admin, then open the App Heart and click on the search button. Sort the title of the app you wish to replace and press ENTER. Within the search outcomes, click on “Replace,” after which verify the motion by clicking “OK” on the affirmation message that seems.
“To safe your gadget, we suggest frequently updating your system to the most recent model to profit from vulnerability fixes. You may examine the product help standing to see the most recent updates out there to your NAS mannequin,” QNAP mentioned.
One 12 months in the past, the NAS maker patched two different zero-days exploited through the Pwn2Own Eire 2024 contest: an OS command injection weak spot (CVE-2024-50388) within the Hybrid Backup Sync catastrophe restoration and knowledge backup resolution, and an SQL injection (SQLi) vulnerability (CVE-2024-50387) in QNAP’s SMB Service.
At the moment, QNAP additionally launched QuMagie 2.7.0 with patches for a vital SQLi vulnerability (CVE-2025-52425) in its picture administration and sharing resolution that may permit distant attackers to execute unauthorized code or instructions on weak units.
It is price range season! Over 300 CISOs and safety leaders have shared how they’re planning, spending, and prioritizing for the 12 months forward. This report compiles their insights, permitting readers to benchmark methods, establish rising developments, and evaluate their priorities as they head into 2026.
Learn the way high leaders are turning funding into measurable affect.
