QNAP has addressed seven critical zero-day vulnerabilities in its network-attached storage (NAS) operating systems, following their successful exploitation by security researchers at Pwn2Own Ireland 2025.
These flaws, identified as CVE-2025-62847, CVE-2025-62848, CVE-2025-62849, and associated ZDI canonical entries ZDI-CAN-28353, ZDI-CAN-28435, ZDI-CAN-28436, enable remote code execution (RCE) and privilege escalation attacks against QTS 5.2.x, QuTS hero h5.2.x, and QuTS hero h5.3.x versions.
The exploits, demonstrated in a controlled environment, highlight kernel-level weaknesses and web interface flaws that could allow unauthenticated attackers to compromise device integrity and exfiltrate stored data.
QNAP Zero-Day Vulnerabilities Exploited
At Pwn2Own Ireland 2025, held in Cork from October 20-22, teams including Summoning Team, DEVCORE, Team DDOS, and a CyCraft intern chained these zero-days to bypass authentication and achieve full system takeover on QNAP NAS devices.
The core operating system vulnerabilities involve improper input validation leading to buffer overflows and use-after-free errors in CGI handlers, facilitating arbitrary command injection without user privileges.
For instance, attackers exploited stack-based overflows in the quick.cgi component to execute shell commands on uninitialized devices, extending to initialized systems via chained privilege escalations.
These techniques mirror historical QNAP issues, such as heap overflows in cgi.cgi, but escalate to zero-click RCE in modern firmware. Event organizers from the Zero Day Initiative (ZDI) awarded bounties exceeding $150,000 for the NAS category, contributing to a total of $792,750 across 56 unique hacks.
QNAP resolved these issues in firmware updates released on October 24, 2025, targeting the affected OS branches with mitigations for memory corruption and authentication bypass vectors.
Specifically, QTS 5.2.x users must upgrade to version 5.2.7.3297 build 20251024 or later, which includes hardened input sanitization and kernel patches to prevent overflow exploits.
QuTS hero h5.2.x follows the same build, while h5.3.x requires 5.3.1.3292 build 20251024 or later, addressing ZFS-specific integration flaws that amplified RCE risks in hybrid storage setups.
Although CVSS scores remain pending for some entries, the zero-day status and Pwn2Own context classify them as critical, with potential for denial-of-service (DoS) as a precursor to data compromise.
Administrators can deploy updates via the Control Panel > System > Firmware Update interface, enabling Live Update for automatic detection and installation. Manual downloads from QNAP’s Download Center support offline environments, ensuring compatibility checks against the product’s EOL status page.
Mitigations
To counter residual risks, QNAP advises immediate password rotation and segmentation of NAS traffic using VLANs to limit lateral movement post-exploit.
The vulnerabilities extend beyond the core OS to integrated apps like HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842), where path traversal allows unauthorized backup access, and Malware Remover (CVE-2025-11837), which is ironically vulnerable to command injection in its scanning engine.
In enterprise deployments, these flaws could enable supply-chain attacks, as NAS devices often serve as centralized repositories for sensitive files.
Security teams should audit logs for anomalous CGI requests and integrate tools like intrusion detection systems (IDS) for ongoing monitoring.
This Pwn2Own outcome underscores the efficacy of bug bounties in preempting wild exploits, urging all QNAP users to prioritize firmware hygiene amid rising NAS-targeted threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
