Article Details
Scrape Timestamp (UTC): 2025-11-07 18:31:37.515
Original Article Text
Click to Toggle View
QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own. QNAP has fixed seven zero-day vulnerabilities that security researchers exploited to hack QNAP network-attached storage (NAS) devices during the Pwn2Own Ireland 2025 competition. The flaws impact QNAP's QTS and QuTS hero operating systems (CVE-2025-62847, CVE-2025-62848, CVE-2025-62849) and the company's Hyper Data Protector (CVE-2025-59389), Malware Remover (CVE-2025-11837), and HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842) software. QNAP said in advisories published on Friday that the security bugs were demonstrated at Pwn2Own by the Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern. To patch these security flaws, QNAP recommends updating software to the latest version and changing all passwords for increased security. QNAP has fixed all these vulnerabilities in the following software versions: Users who want to update their OS to log in to QTS or QuTS Hero as an administrator should go to Control Panel > System > Firmware Update and click "Check for Update" under Live Update. To update the vulnerable apps, first log in to QTS or QuTS hero as an admin, then open the App Center and click the search button. Type the name of the app you want to update and press ENTER. In the search results, click "Update," and then confirm the action by clicking "OK" on the confirmation message that appears. "To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes. You can check the product support status to see the latest updates available to your NAS model," QNAP said. One year ago, the NAS maker patched two other zero-days exploited during the Pwn2Own Ireland 2024 contest: an OS command injection weakness (CVE-2024-50388) in the Hybrid Backup Sync disaster recovery and data backup solution, and an SQL injection (SQLi) vulnerability (CVE-2024-50387) in QNAP's SMB Service. Today, QNAP also released QuMagie 2.7.0 with patches for a critical SQLi vulnerability (CVE-2025-52425) in its photo management and sharing solution that can allow remote attackers to execute unauthorized code or commands on vulnerable devices. 7 Security Best Practices for MCP As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe. This free cheat sheet outlines 7 best practices you can start using today.
Daily Brief Summary
QNAP has resolved seven zero-day vulnerabilities in its NAS devices, identified during the Pwn2Own Ireland 2025 competition by several security research teams.
The vulnerabilities affected QNAP's QTS and QuTS hero operating systems, as well as Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync software.
QNAP has issued advisories recommending users update their systems to the latest software versions and change passwords to enhance security.
The company provided detailed instructions for users to update their systems and applications via the Control Panel and App Center.
These fixes follow previous patches for zero-days discovered during last year's Pwn2Own event, demonstrating QNAP's ongoing commitment to addressing security challenges.
A critical SQL injection vulnerability in QuMagie, QNAP's photo management solution, has also been patched, preventing potential unauthorized code execution.
Organizations using QNAP devices are urged to regularly update their systems to protect against vulnerabilities and maintain robust security postures.