Ddos 
QNAP has issued an urgent security advisory and released patches for seven zero-day vulnerabilities that were successfully exploited to compromise QNAP Network-Attached Storage (NAS) devices during the prestigious Pwn2Own Ireland 2025 competition. This extensive set of patches covers critical flaws found across the core operating systems and major applications, including the essential backup and malware removal tools.
The successful exploits were demonstrated at Pwn2Own by several top security research teams, including Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern.
The compromised vulnerabilities affect core parts of the QNAP ecosystem, putting user data stored on NAS devices at high risk. Patches address issues in the main operating systems, QTS and QuTS hero, as well as critical applications:
1. Core Operating Systems: QTS and QuTS hero
Multiple vulnerabilities (CVE-2025-62847. CVE-2025-62848, CVE-2025-62849) were found in QNAP’s primary operating systems. While official CVSS scores were not explicitly provided in the advisory, the zero-day nature and the context of a successful Pwn2Own exploit suggest these flaws posed a High Risk for potential remote code execution and data compromise.
| Affected Product | Fixed Version |
| QTS 5.2.x | QTS 5.2.7.3297 build 20251024 and later |
| QUTS hero h5.2.x | QUTS hero h5.2.7.3297 build 20251024 and later |
| QUTS hero h5.3.x | QUTS hero h5.3.1.3292 build 20251024 and later |
2. Backup and Data Protection Apps
Two major applications designed to safeguard data were found to be vulnerable:
- HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842): Multiple vulnerabilities were fixed in this critical backup application. Since this tool handles all backup routines, a compromise could give attackers access to historical data and remote backup targets. Users on versions 26.1.x and earlier must update to HBS 3 Hybrid Backup Sync 26.2.0.938 and later.
- Hyper Data Protector (CVE-2025-59389): A vulnerability in this dedicated data protection tool was fixed in version 2.2.4.1 and later.
3. Malware Remover (CVE-2025-11837)
A zero-day vulnerability was even found in QNAP’s security tool, Malware Remover. Users on versions 6.6.x must update to Malware Remover 6.6.8.20251023 and later.
The vulnerabilities were proven exploitable in a controlled environment, meaning real-world attackers can quickly integrate these techniques into their campaigns. Given the high value of data stored on NAS devices, QNAP users should apply the firmware and application updates immediately.
Donate