QNAP has taken decisive action to address seven significant zero-day vulnerabilities within its network-attached storage (NAS) operating systems. This move follows the successful exploitation of these flaws by security researchers during the Pwn2Own Ireland 2025 competition.
Identified as CVE-2025-62847, CVE-2025-62848, CVE-2025-62849, along with corresponding ZDI canonical entries ZDI-CAN-28353, ZDI-CAN-28435, and ZDI-CAN-28436, these vulnerabilities facilitate remote code execution (RCE) and privilege escalation attacks on QTS versions 5.2.x, QuTS hero h5.2.x, and QuTS hero h5.3.x.
Demonstrated in a controlled setting, these exploits underscore critical weaknesses at the kernel level and within web interface architecture, enabling unauthorized attackers to jeopardize device integrity and extract sensitive data.
Exploitation of QNAP Zero-Day Vulnerabilities
During Pwn2Own Ireland 2025, which took place in Cork from October 20-22, various teams—including Summoning Team, DEVCORE, Team DDOS, and a CyCraft intern—successfully chained these zero-days to circumvent authentication, leading to complete system takeovers of QNAP NAS devices.
The fundamental vulnerabilities reside in improper input validation practices, resulting in buffer overflows and use-after-free issues within CGI handlers. These flaws facilitate arbitrary command execution devoid of user privileges.
For example, attackers leveraged stack-based overflows in the quickly.cgi component, allowing shell command execution on uninitialized devices, and extending this capability to initialized systems through subsequent privilege elevation.
These techniques resonate with historical exploits concerning QNAP, like heap overflows in cgi.cgi, yet elevate the ramifications to a zero-click RCE in contemporary firmware.
The Zero Day Initiative (ZDI) event coordinators awarded bounties surpassing $150,000 for exploits within the NAS category, contributing to a staggering total of $792,750 awarded across 56 distinct hacks.
QNAP resolved these vulnerabilities through firmware updates released on October 24, 2025, specifically targeting the vulnerable OS branches with enhancements aimed at mitigating memory corruption and addressing authentication bypass avenues.
Users operating QTS 5.2.x should upgrade to version 5.2.7.3297 build 20251024 or later, which features fortified input sanitization and kernel patches designed to thwart overflow exploits.
QuTS hero h5.2.x shares the same build requirement, whereas h5.3.x mandates version 5.3.1.3292 build 20251024 or later, rectifying ZFS-specific integration vulnerabilities that elevated RCE risks within hybrid storage configurations.
While the CVSS scores for some entries remain pending, the critical classification of these zero-days and their context within Pwn2Own underscores their severe risk potential, including denial-of-service (DoS) scenarios as precursors to data compromise.
Administrators can implement updates via the Control Panel > System > Firmware Update section, enabling the Live Update feature for automated detection and installation.
Manual downloads from QNAP’s Download Center are available for offline environments, ensuring compatibility with the product’s end-of-life status page.
Mitigations
In light of the residual risks, QNAP strongly recommends immediate password rotations and segmentation of NAS traffic utilizing VLAN configurations to curtail lateral movement post-exploit.
The ramifications of these vulnerabilities extend to integrated applications such as HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842), which faces unauthorized backup access through path traversal, and the Malware Remover (CVE-2025-11837), ironically exposed to command injection within its scanning engine.
In enterprise contexts, these vulnerabilities may facilitate supply-chain attacks, given that NAS devices frequently host critical repositories of sensitive information.
Security teams are advised to meticulously audit logs for any anomalous CGI requests and incorporate intrusion detection systems (IDS) for continuous monitoring.
This outcome from Pwn2Own underscores the efficacy of bug bounty initiatives in preempting widespread exploitation. It serves as a crucial reminder for QNAP users to prioritize their firmware hygiene amidst an escalating landscape of threats targeting NAS systems.
Source link: Cybersecuritynews.com.
