QNAP Patches Critical Zero-Day Flaws Exploited at Pwn2Own
▼ Summary
– QNAP has patched seven zero-day vulnerabilities exploited during the Pwn2Own Ireland 2025 competition.
– The flaws affect QNAP’s QTS and QuTS hero operating systems, Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync software.
– QNAP recommends updating to the latest software versions and changing all passwords to secure devices.
– Specific patched versions include Hyper Data Protector 2.2.4.1, Malware Remover 6.6.8.20251023, HBS 3 Hybrid Backup Sync 26.2.0.938, and QTS/QuTS hero builds from 20251024.
– QNAP also released QuMagie 2.7.0 to fix a critical SQL injection vulnerability (CVE-2025-52425) in its photo management solution.
QNAP has urgently addressed seven critical zero-day vulnerabilities that were actively exploited during the Pwn2Own Ireland 2025 hacking contest. These security flaws affect several core components of QNAP’s ecosystem, including the QTS and QuTS hero operating systems, as well as applications like Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync. The successful demonstrations by security teams, Summoning Team, DEVCORE, Team DDOS, and a CyCraft intern, highlighted the immediate need for protective measures.
The specific vulnerabilities are tracked under the following CVE identifiers: CVE-2025-62847, CVE-2025-62848, and CVE-2025-62849 for the operating systems, CVE-2025-59389 for Hyper Data Protector, CVE-2025-11837 for Malware Remover, and CVE-2025-62840 and CVE-2025-62842 for HBS 3. To mitigate risks, QNAP advises all users to install the latest software updates and change all passwords immediately to strengthen their defenses.
QNAP Issues Critical Updates Following Pwn2Own Vulnerability Reports
QNAP has released patches across multiple products, now available in Hyper Data Protector version 2.2.4.1 or later. Administrators are advised to update immediately. To upgrade the operating system, log in and navigate to Control Panel → System → Firmware Update, then choose “Check for Update” under the Live Update section. For individual apps, open the App Center, search for the specific application, and select “Update.” Confirm the process when prompted.
The company stressed the importance of keeping systems current to guard against new exploits. Users can verify the support status of their NAS model to confirm eligibility for the latest security patches and firmware releases.
This latest round of updates follows vulnerabilities revealed during the Pwn2Own Ireland 2024 event. At that time, QNAP had addressed two zero-day flaws: an OS command injection issue in Hybrid Backup Sync (CVE-2024-50388) and an SQL injection bug in the SMB Service (CVE-2024-50387).
In a related announcement, QNAP rolled out QuMagie 2.7.0, resolving another critical SQL injection vulnerability (CVE-2025-52425) in its photo management software. The flaw could have allowed remote attackers to execute arbitrary commands on affected devices. The update serves as a reminder of how vital ongoing patch management remains in defending against fast-moving security threats.
(Source: Bleeping Computer)