Qnap patches a batch of Pwn2Own 2025 security vulnerabilities
Qnap's NAS systems were the target of several attacks at this year's Pwn2Own event. Updates are closing the identified vulnerabilities.
(Image: Konstantin Yolshin/Shutterstock.com)
Qnap released a total of eleven security advisories over the weekend, addressing partly critical vulnerabilities in its NAS systems and associated software. Updates for these advisories are already available for download and installation – users of Qnap systems should check if their devices are up to date.
Details about the vulnerabilities are scarce – even the CVE entries have not yet been published. However, Qnap has patched three security gaps in QTS and QuTS hero, which were exploited as zero-day vulnerabilities at Pwn2Own 2025 in Ireland to attack NAS storage devices (CVE-2025-62847, CVE-2025-62848, CVE-2025-62849). An attack vector with a CVSS score is still missing, but Qnap classifies the risk as "critical". The fixes are included in QTS 5.2.7.3297 Build 20251024, QuTS hero h5.2.7.3297 Build 20251024, and QuTS hero h5.3.1.3292 Build 20251024, and newer versions.
Further critical vulnerabilities can be found in Hyper Data Protector (CVE-2025-59389), which version 2.2.4.1 and newer will fix, or in HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842), where version 26.2.0.938 or newer resolves the issue.
"Non-Pwn2Own" vulnerabilities also closed
However, Qnap is also addressing other vulnerabilities not found at Pwn2Own. For example, an SQL injection vulnerability rated as a critical risk in QuMagie before 2.7.0, which allowed attackers from the network to execute malicious code (CVE-2025-52425).
Videos by heise
Further security advisories from the weekend address security leaks that Qnap developers classify as less severe:
- Vulnerability in QuMagie before 2.7.3 (CVE-2025-58464), risk classification "important"
- Multiple Vulnerabilities in Download Station before 5.10.0.305 (QTS) /.304 (QuTS hero) (CVE-2025-58463, CVE-2025-58465), classification "important"
- Vulnerability in Qsync Central before 5.0.0.3 (CVE-2025-57712), classification "important"
- Multiple Vulnerabilities in File Station 5 before 5.5.6.5018 (CVE-2025-47207, CVE-2025-53408, CVE-2025-53409, CVE-2025-53410, CVE-2025-53411, CVE-2025-53412, CVE-2025-53413, CVE-2025-52865, CVE-2025-57706), classification "moderate"
- Vulnerability in Notification Center before 3.0.0.3466, 2.1.0.3443 and 1.9.2.3163 (CVE-2025-54167), classification "moderate"
- Multiple Vulnerabilities in QuLog Center before 1.8.2.923 (CVE-2025-54168, CVE-2025-58469), classification "moderate"
Most recently, Qnap reported high-risk security vulnerabilities in QTS and QuTS hero in September. At that time, the updates that fixed the issues had already been available for some time.
(dmk)
