“`html
QNAP has tackled seven significant zero-day vulnerabilities within its network-attached storage (NAS) operating systems, following their successful exploitation by security experts at Pwn2Own Ireland 2025.
These issues, designated as CVE-2025-62847, CVE-2025-62848, CVE-2025-62849, along with related ZDI canonical entries ZDI-CAN-28353, ZDI-CAN-28435, ZDI-CAN-28436, permit remote code execution (RCE) and privilege escalation assaults against QTS 5.2.x, QuTS hero h5.2.x, and QuTS hero h5.3.x versions.
The exploits, showcased in a controlled setting, reveal kernel-level vulnerabilities and flaws in the web interface that might allow unauthenticated intruders to compromise device security and extract stored information.
QNAP Zero-Day Vulnerabilities Exploited
During Pwn2Own Ireland 2025, which took place in Cork from October 20-22, teams including Summoning Team, DEVCORE, Team DDOS, and a CyCraft intern linked these zero-days to circumvent authentication and gain complete system control over QNAP NAS devices.
The primary operating system vulnerabilities involve inadequate input validation resulting in buffer overflows and use-after-free errors in CGI handlers, allowing arbitrary command injections without user credentials.
For example, attackers took advantage of stack-based overflows in the quick.cgi component to run shell commands on uninitialized devices, reaching initialized systems through chained privilege escalations.
These methods reflect past QNAP challenges, such as heap overflows in cgi.cgi, but escalate to zero-click RCE in modern firmware. Event organizers from the Zero Day Initiative (ZDI) awarded rewards exceeding $150,000 for the NAS category, contributing to a grand total of $792,750 across 56 distinct hacks.
QNAP resolved these issues in firmware updates issued on October 24, 2025, eager to address the affected OS branches with mitigations for memory corruption and authentication bypass vectors.
Specifically, users of QTS 5.2.x are required to upgrade to version 5.2.7.3297 build 20251024 or later, which incorporates enhanced input sanitization and kernel patches to avert overflow exploits.
QuTS hero h5.2.x aligns with the same build, while h5.3.x necessitates 5.3.1.3292 build 20251024 or newer, correcting ZFS-specific integration flaws that heightened RCE threats in hybrid storage configurations.
While CVSS scores are still awaiting confirmation for certain entries, the zero-day classification and Pwn2Own context categorize them as critical, with the potential for denial-of-service (DoS) preceding data compromise.
Administrators can apply updates via the Control Panel > System > Firmware Update interface, enabling Live Update for automatic detection and installation. Manual downloads from QNAP’s Download Center cater to offline environments, ensuring compatibility checks against the product’s EOL status page.
Mitigations
To mitigate residual risks, QNAP recommends immediate password changes and segmenting NAS traffic using VLANs to restrict lateral movement after an exploit.
The vulnerabilities extend beyond the primary OS to integrated applications like HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842), where path traversal enables unauthorized backup access, and Malware Remover (CVE-2025-11837), which is, ironically, susceptible to command injection within its scanning engine.
In enterprise applications, these vulnerabilities may facilitate supply-chain attacks, as NAS devices often function as centralized repositories of sensitive documents.
Security teams should examine logs for unusual CGI requests and incorporate tools such as intrusion detection systems (IDS) for continuous monitoring.
This Pwn2Own result highlights the effectiveness of bug bounties in preventing widespread exploits, urging all QNAP users to prioritize firmware maintenance in the face of rising NAS-targeted threats.
“`