QNAP has fixed seven zero-day vulnerabilities that security researchers exploited to hack QNAP network-attached storage (NAS) devices during the Pwn2Own Ireland 2025 competition.
The flaws impact QNAP's QTS and QuTS hero operating systems (CVE-2025-62847, CVE-2025-62848, CVE-2025-62849) and the company's Hyper Data Protector (CVE-2025-59389), Malware Remover (CVE-2025-11837), and HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842) software.
QNAP said in advisories published on Friday that the security bugs were demonstrated at Pwn2Own by the Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern.
To patch these security flaws, QNAP recommends updating software to the latest version and changing all passwords for increased security.
QNAP has fixed all these vulnerabilities in the following software versions:
Hyper Data Protector 2.2.4.1 and later
Malware Remover 6.6.8.20251023 and later
HBS 3 Hybrid Backup Sync 26.2.0.938 and later
QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.7.3297 build 20251024 and later
... continue reading