During the Pwn2Own competition in Ireland, participants discovered seven QNAP vulnerabilities.
QNAP has fixed seven vulnerabilities that researchers exploited to hack NAS devices during the Pwn2Own 2025 competition in Ireland. The flaws affected both the operating systems QTS and QuTS hero. Other applications including Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync were also affected.
Seven Vulnerabilities
The vulnerabilities (registered under CVE-2025-62847 through -62849 and CVE-2025-59389, -11837, -62840, and -62842) were demonstrated by various teams during the competition. They enabled remote code execution and could give attackers complete control over affected NAS systems.
QNAP has released patches for all vulnerable products. The company urges users to immediately update their systems to:
- QTS 5.2.7.3297 or QuTS hero h5.2.7.3297 / h5.3.1.3292
- Hyper Data Protector 2.2.4.1 or higher
- Malware Remover 6.6.8.20251023 or higher
- HBS 3 Hybrid Backup Sync 26.2.0.938 or higher
Updates can be performed via the Control Panel > System > Firmware Update or through the App Center search function. QNAP also recommends changing all passwords and regularly updating systems to prevent future attacks.
Security Patch for QuMagie
In addition to the Pwn2Own patches, QNAP has also released QuMagie 2.7.0 with a patch for a critical SQLi vulnerability (CVE-2025-52425) in the photo management software. This allowed attackers to remotely execute unauthorized code.
The manufacturer emphasizes that regularly updating the NAS system remains the best defense against exploitation of these types of vulnerabilities