CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Vulnerabilities

QNAP Patches Vulnerabilities Exploited at Pwn2Own Ireland

Multiple vulnerabilities across QNAP’s portfolio could lead to remote code execution, information disclosure, and denial-of-service (DoS) conditions. The post QNAP Patches Vulnerabilities Exploited at Pwn2Own Ireland appeared first on SecurityWeek.

QNAP vulnerabilities

Taiwan-based QNAP Systems over the weekend rolled out patches for two dozen vulnerabilities across its product portfolio, including seven flaws demonstrated at the Pwn2Own Ireland 2025 hacking competition.

Two of the issues, tracked as CVE-2025-62840 and CVE-2025-62842, were demonstrated by Team DDOS. On the first day of the contest, the team earned a $100,000 reward for an exploit that chained a total of eight flaws impacting QNAP routers and NAS devices.

QNAP released HBS 3 Hybrid Backup Sync version 26.2.0.938 to resolve the bugs. The vendor recommends that, after updating, users change all their passwords.

Three other defects, tracked as CVE-2025-62847, CVE-2025-62848, and CVE-2025-62849, were demonstrated by DEVCORE researchers as part of an exploit that chained injection vulnerabilities with a format string bug, earning them a $40,000 bug bounty reward.

QNAP patched the flaws in QTS 5.2.7.3297 build 20251024, QuTS hero h5.2.7.3297 build 20251024, and QuTS hero h5.3.1.3292 build 20251024.

Over the weekend, the vendor also announced fixes for CVE-2025-11837, a critical code injection issue in Malware Remover that could lead to arbitrary code execution.

CyCraft Technology researcher Chumy Tsai demonstrated the defect on a QNAP TS-453E NAS device and earned a $20,000 reward for the exploit. QNAP fixed the vulnerability in Malware Remover version 6.6.8.20251023.

QNAP also rolled out patches for CVE-2025-59389, a critical issue in Hyper Data Protector that was demonstrated at Pwn2Own by Summoning Team researcher Sina Kheirkhah.

The researcher earned $20,000 for chaining a hardcoded credential issue and an injection flaw to compromise the QNAP TS-453E NAS. QNAP released Hyper Data Protector version 2.2.4.1 to resolve the bug.

Additionally, the vendor rolled out fixes for multiple vulnerabilities in QuMagie, Download Station, File Station 5, Notification Center, Qsync Central, and QuLog Center, that could be exploited for arbitrary code execution, information disclosure, security mechanism bypasses, and denial-of-service (DoS) attacks.

QNAP makes no mention of any of these vulnerabilities being exploited in the wild, but users are advised to apply the patches as soon as possible, as QNAP vulnerabilities are popular targets for threat actors. Additional information can be found on QNAP’s security advisories page.

Related: $1M WhatsApp Hack Flops: Only Low-Risk Bugs Disclosed to Meta After Pwn2Own Withdrawal

Related: QNAP NetBak PC Agent Affected by Recent ASP.NET Core Vulnerability

Related: QNAP Patches Vulnerabilities Exploited at Pwn2Own

Related: Hackers Earn Over $1 Million at Pwn2Own Berlin 2025

Latest News

CYBERNEWSMEDIAPublisher