QNAP has addressed seven important zero-day vulnerabilities in its network-attached storage (NAS) working methods, following their profitable exploitation by safety researchers at Pwn2Own Eire 2025.
These flaws, recognized as CVE-2025-62847, CVE-2025-62848, CVE-2025-62849, and related ZDI canonical entries ZDI-CAN-28353, ZDI-CAN-28435, ZDI-CAN-28436, allow distant code execution (RCE) and privilege escalation assaults towards QTS 5.2.x, QuTS hero h5.2.x, and QuTS hero h5.3.x variations.
The exploits, demonstrated in a managed atmosphere, spotlight kernel-level weaknesses and internet interface flaws that would enable unauthenticated attackers to compromise system integrity and exfiltrate saved information.
QNAP Zero-Day Vulnerabilities Exploited
At Pwn2Own Eire 2025, held in Cork from October 20-22, groups together with Summoning Group, DEVCORE, Group DDOS, and a CyCraft intern chained these zero-days to bypass authentication and obtain full system takeover on QNAP NAS units.
The core working system vulnerabilities contain improper enter validation resulting in buffer overflows and use-after-free errors in CGI handlers, facilitating arbitrary command injection with out consumer privileges.
As an illustration, attackers exploited stack-based overflows within the fast.cgi element to execute shell instructions on uninitialized units, extending to initialized methods by way of chained privilege escalations.
These methods mirror historic QNAP points, comparable to heap overflows in cgi.cgi, however escalate to zero-click RCE in trendy firmware. Occasion organizers from the Zero Day Initiative (ZDI) awarded bounties exceeding $150,000 for the NAS class, contributing to a complete of $792,750 throughout 56 distinctive hacks.
QNAP resolved these points in firmware updates launched on October 24, 2025, concentrating on the affected OS branches with mitigations for reminiscence corruption and authentication bypass vectors.
Particularly, QTS 5.2.x customers should improve to model 5.2.7.3297 construct 20251024 or later, which incorporates hardened enter sanitization and kernel patches to stop overflow exploits.
QuTS hero h5.2.x follows the identical construct, whereas h5.3.x requires 5.3.1.3292 construct 20251024 or later, addressing ZFS-specific integration flaws that amplified RCE dangers in hybrid storage setups.
Though CVSS scores stay pending for some entries, the zero-day standing and Pwn2Own context classify them as important, with potential for denial-of-service (DoS) as a precursor to information compromise.
Directors can deploy updates by way of the Management Panel > System > Firmware Replace interface, enabling Dwell Replace for computerized detection and set up. Handbook downloads from QNAP’s Obtain Middle help offline environments, guaranteeing compatibility checks towards the product’s EOL standing web page.
Mitigations
To counter residual dangers, QNAP advises fast password rotation and segmentation of NAS visitors utilizing VLANs to restrict lateral motion post-exploit.
The vulnerabilities prolong past the core OS to built-in apps like HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842), the place path traversal permits unauthorized backup entry, and Malware Remover (CVE-2025-11837), which is sarcastically susceptible to command injection in its scanning engine.
In enterprise deployments, these flaws may allow supply-chain assaults, as NAS units usually function centralized repositories for delicate recordsdata.
Safety groups ought to audit logs for anomalous CGI requests and combine instruments like intrusion detection methods (IDS) for ongoing monitoring.
This Pwn2Own final result underscores the efficacy of bug bounties in preempting wild exploits, urging all QNAP customers to prioritize firmware hygiene amid rising NAS-targeted threats.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to characteristic your tales.
