QNAP has fixed seven zero-day vulnerabilities that security researchers exploited to hack QNAP network-attached storage (NAS) devices during the Pwn2Own Ireland 2025 competition.
The flaws impact QNAP’s QTS and QuTS hero operating systems (CVE-2025-62847, CVE-2025-62848, CVE-2025-62849) and the company’s Hyper Data Protector (CVE-2025-59389), Malware Remover (CVE-2025-11837), and HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842) software.
QNAP said in advisories published on Friday that the security bugs were demonstrated at Pwn2Own by the Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern.
To patch these security flaws, QNAP recommends updating software to the latest version and changing all passwords for increased security.
QNAP has fixed all these vulnerabilities in the following software versions:
- Hyper Data Protector 2.2.4.1 and later
- Malware Remover 6.6.8.20251023 and later
- HBS 3 Hybrid Backup Sync 26.2.0.938 and later
- QTS 5.2.7.3297 build 20251024 and later
- QuTS hero h5.2.7.3297 build 20251024 and later
- QuTS hero h5.3.1.3292 build 20251024 and later
Users who want to update their OS to log in to QTS or QuTS Hero as an administrator should go to Control Panel > System > Firmware Update and click “Check for Update” under Live Update.
To update the vulnerable apps, first log in to QTS or QuTS hero as an admin, then open the App Center and click the search button. Type the name of the app you want to update and press ENTER. In the search results, click “Update,” and then confirm the action by clicking “OK” on the confirmation message that appears.
“To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model,” QNAP said.
One year ago, the NAS maker patched two other zero-days exploited during the Pwn2Own Ireland 2024 contest: an OS command injection weakness (CVE-2024-50388) in the Hybrid Backup Sync disaster recovery and data backup solution, and an SQL injection (SQLi) vulnerability (CVE-2024-50387) in QNAP’s SMB Service.
Today, QNAP also released QuMagie 2.7.0 with patches for a critical SQLi vulnerability (CVE-2025-52425) in its photo management and sharing solution that can allow remote attackers to execute unauthorized code or commands on vulnerable devices.
Whether you’re cleaning up old keys or setting guardrails for AI-generated code, this guide helps your team build securely from the start.
Get the cheat sheet and take the guesswork out of secrets management.