CometSoul

make IT easy

  • Bahasa Indonesia
  • English

    • QNAP Releases Security Updates to Patch 7 Zero-Day Vulnerabilities from Pwn2Own Ireland 2025

    by

    Juni Artawan
    in

    QNAP has released new security updates to fix seven zero-day vulnerabilities that were exploited by security researchers during the Pwn2Own Ireland 2025 competition. Due to the severity of these issues, all users are strongly advised to update their devices immediately to reduce the risk of attacks.

    Seven Critical Zero-Days Patched by QNAP

    According to QNAP, the vulnerabilities affect several core products.
    The flaws impact the QTS and QuTS hero operating systems (CVE-2025-62847, CVE-2025-62848, CVE-2025-62849).
    Other affected applications include Hyper Data Protector (CVE-2025-59389), Malware Remover (CVE-2025-11837), and HBS 3 Hybrid Backup Sync (CVE-2025-62840 and CVE-2025-62842).

    The vulnerabilities were successfully demonstrated live at Pwn2Own by Summoning Team, DEVCORE, Team DDOS, and an intern from CyCraft Technology.

    Updated QNAP Software Versions

    Users are urged to upgrade to the latest versions listed below:

    • Hyper Data Protector 2.2.4.1 or later
    • Malware Remover 6.6.8.20251023 or later
    • HBS 3 Hybrid Backup Sync 26.2.0.938 or later
    • QTS 5.2.7.3297 build 20251024 or later
    • QuTS hero h5.2.7.3297 build 20251024 or later
    • QuTS hero h5.3.1.3292 build 20251024 or later

    QNAP also recommends changing all important passwords as an additional security measure.

    How to Update QTS or QuTS Hero

    To install the latest firmware:

    1. Log in as Administrator.
    2. Go to Control Panel > System > Firmware Update.
    3. Click Check for Update under Live Update.
    4. Install the update and restart the system.

    How to Update Vulnerable Applications

    To update affected apps:

    1. Open App Center.
    2. Use the search box to find the application.
    3. Press Enter, then click Update.
    4. Confirm by selecting OK.

    These updates will significantly improve the security of your NAS device.

    Previous Zero-Day Fixes by QNAP

    In the previous Pwn2Own Ireland event in 2024, QNAP patched two other zero-days exploited during the competition.
    These included an OS Command Injection flaw (CVE-2024-50388) in Hybrid Backup Sync and an SQL Injection flaw (CVE-2024-50387) in the SMB Service.

    On the same day, QNAP also released QuMagie 2.7.0, which patched a critical SQL injection vulnerability (CVE-2025-52425) in its photo management app.

    Source:
    https://www.bleepingcomputer.com/news/security/qnap-fixes-seven-nas-zero-day-vulnerabilities-exploited-at-pwn2own/
    https://www.qnap.com/en/news/2025/qnap-demonstrates-cybersecurity-commitment-at-pwn2own-2025-with-rapid-defense-updates