QNAP has swiftly acted to mitigate several security vulnerabilities discovered in its products, following their exposure at the Pwn2Own Ireland hacking competition in October 2025. The company released patches last Friday addressing four significant vulnerabilities that were exploited during the event.
Details of the Vulnerabilities
The identified vulnerabilities, cataloged from CVE-2025-62843 to CVE-2025-62846, impact QNAP’s SD-WAN routers. These issues have been rectified in the updated QuRouter version 2.6.3.009. According to QNAP’s advisory, the first vulnerability necessitates physical access to the device to gain certain privileges, whereas the second can be exploited via the local network to access sensitive data.
The remaining vulnerabilities allow attackers with administrative rights to disrupt device behavior or execute unauthorized commands. The vulnerabilities were initially demonstrated by Team DDOS at Pwn2Own 2025, where they managed to chain multiple security flaws in QNAP routers and NAS devices, earning a $100,000 prize for their efforts.
QNAP’s Response and Additional Patches
In less than three weeks post-competition, QNAP released fixes for two of the demonstrated flaws, specifically CVE-2025-62840 and CVE-2025-62842. Additionally, the company addressed further vulnerabilities identified during the contest by other participants.
QNAP also issued patches for four critical vulnerabilities within its QuNetSwitch software. These issues could potentially lead to arbitrary code execution and unauthorized access through hardcoded credentials. Users are strongly encouraged to update to QuNetSwitch versions 2.0.4.0415 or 2.0.5.0906 and beyond.
Addressing Broader Security Concerns
Another significant vulnerability, involving missing authentication in QVR Pro, was also addressed. This flaw could have permitted remote attackers to infiltrate vulnerable systems. The release of QVR Pro version 2.7.4.1485 aims to resolve this issue.
Furthermore, QNAP tackled medium-severity vulnerabilities in both the Media Streaming Add-on and QuFTP Service, which had the potential to cause system crashes or data breaches. Importantly, QNAP has noted that none of these vulnerabilities have been reported as exploited in the wild. Detailed information can be accessed via the company’s security advisories page.
For users of QNAP products, it is crucial to ensure systems are updated to the latest versions to safeguard against these vulnerabilities.
