Taiwan-based QNAP Techniques over the weekend rolled out patches for 2 dozen vulnerabilities throughout its product portfolio, together with seven flaws demonstrated on the Pwn2Own Eire 2025 hacking competitors.
Two of the problems, tracked as CVE-2025-62840 and CVE-2025-62842, had been demonstrated by Staff DDOS. On the primary day of the competition, the workforce earned a $100,000 reward for an exploit that chained a complete of eight flaws impacting QNAP routers and NAS units.
QNAP launched HBS 3 Hybrid Backup Sync model 26.2.0.938 to resolve the bugs. The seller recommends that, after updating, customers change all their passwords.
Three different defects, tracked as CVE-2025-62847, CVE-2025-62848, and CVE-2025-62849, had been demonstrated by DEVCORE researchers as a part of an exploit that chained injection vulnerabilities with a format string bug, incomes them a $40,000 bug bounty reward.
QNAP patched the failings in QTS 5.2.7.3297 construct 20251024, QuTS hero h5.2.7.3297 construct 20251024, and QuTS hero h5.3.1.3292 construct 20251024.
Over the weekend, the seller additionally introduced fixes for CVE-2025-11837, a vital code injection challenge in Malware Remover that might result in arbitrary code execution.
CyCraft Know-how researcher Chumy Tsai demonstrated the defect on a QNAP TS-453E NAS system and earned a $20,000 reward for the exploit. QNAP fastened the vulnerability in Malware Remover model 6.6.8.20251023.
QNAP additionally rolled out patches for CVE-2025-59389, a vital challenge in Hyper Knowledge Protector that was demonstrated at Pwn2Own by Summoning Staff researcher Sina Kheirkhah.Commercial. Scroll to proceed studying.
The researcher earned $20,000 for chaining a hardcoded credential challenge and an injection flaw to compromise the QNAP TS-453E NAS. QNAP launched Hyper Knowledge Protector model 2.2.4.1 to resolve the bug.
Moreover, the seller rolled out fixes for a number of vulnerabilities in QuMagie, Obtain Station, File Station 5, Notification Heart, Qsync Central, and QuLog Heart, that could possibly be exploited for arbitrary code execution, data disclosure, safety mechanism bypasses, and denial-of-service (DoS) assaults.
QNAP makes no point out of any of those vulnerabilities being exploited within the wild, however customers are suggested to use the patches as quickly as doable, as QNAP vulnerabilities are standard targets for menace actors. Further data might be discovered on QNAP’s safety advisories web page.
Associated: $1M WhatsApp Hack Flops: Solely Low-Threat Bugs Disclosed to Meta After Pwn2Own Withdrawal
Associated: QNAP NetBak PC Agent Affected by Latest ASP.NET Core Vulnerability
Associated: QNAP Patches Vulnerabilities Exploited at Pwn2Own
Associated: Hackers Earn Over $1 Million at Pwn2Own Berlin 2025
