QNAP Patches Seven Zero-Day Vulnerabilities Exploited at Pwn2Own
QNAP has released security updates to address seven zero-day vulnerabilities in its network-attached storage (NAS) products after these flaws were exploited by security researchers during the Pwn2Own Ireland 2025 competition. The vulnerabilities affected QNAP's QTS and QuTS hero operating systems, as well as key applications including Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync. The exploits were demonstrated by teams such as Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern, highlighting the critical nature of these security issues.
QNAP has provided patched versions for all affected software and strongly recommends that users update to the latest releases and change all passwords to enhance security. The company has published detailed advisories and instructions for updating both the operating systems and vulnerable applications through the QTS or QuTS hero interface. Regular updates and monitoring of product support status are advised to ensure ongoing protection against similar vulnerabilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
QNAP fixes critical QuMagie SQL injection flaw CVE-2025-52425
QNAP also released QuMagie 2.7.0 to address CVE-2025-52425, a critical SQL injection vulnerability that could lead to remote code execution. Users were advised to upgrade to the patched version as part of the broader security response.
QNAP releases patches for seven Pwn2Own-exploited zero-days
QNAP released security updates to fix seven zero-day vulnerabilities in QTS, QuTS hero, Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync after their disclosure at Pwn2Own Ireland 2025. The company urged customers to update affected software promptly to reduce exploitation risk.
QNAP zero-days are demonstrated at Pwn2Own Ireland 2025
During the Pwn2Own Ireland 2025 competition, security researchers from Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern successfully exploited seven zero-day vulnerabilities affecting QNAP QTS, QuTS hero, and related applications. The demonstrated flaws included issues enabling remote code execution, privilege escalation, and device compromise.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
QNAP fixed multiple zero-days in its software demonstrated at Pwn2Own 2025
securityaffairs.com
Open sourceSevere QNAP NAS Zero-Day Flaws Patched After Pwn2Own 2025: What You Should Know
socradar.io
Open sourceCritical Warning: QNAP Patches Seven Zero-Days Exploited at Pwn2Own 2025
securityonline.info
Open sourceQNAP fixes seven NAS zero-day flaws exploited at Pwn2Own
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
QNAP Patches Multiple Vulnerabilities in License Center and NAS Tools
QNAP has addressed several security vulnerabilities affecting its License Center application and other NAS tools, which could allow attackers to access sensitive information or disrupt services on affected devices. The vulnerabilities, identified as CVE-2025-52871 (out-of-bounds read) and CVE-2025-53597 (buffer overflow), require an attacker to have access to a valid or administrator account, making credential theft or weak passwords a significant risk factor. QNAP has released patches in License Center 2.0.36 and later, urging organizations and home users to update immediately, especially if their NAS devices are accessible from the internet or shared among multiple users. In addition to the License Center flaws, QNAP also patched high-severity SQL injection and path traversal vulnerabilities in its NAS products. These vulnerabilities could have allowed attackers to execute arbitrary code or access restricted files, further emphasizing the importance of timely updates. Users are advised to access the QTS or QuTS hero management interface and apply the latest security updates to mitigate these risks and protect sensitive data stored on QNAP devices.
Mar 21, 2026
QNAP Patches High-Severity Vulnerabilities in NetBak Replicator and Qsync Central
QNAP has addressed two high-severity security vulnerabilities affecting its NetBak Replicator and Qsync Central products. The first vulnerability, tracked as CVE-2025-53595, is an SQL injection flaw in Qsync Central. This vulnerability allows a remote attacker with a user account to execute unauthorized code or commands on the affected system. QNAP has released a fix for this issue in Qsync Central version 5.0.0.2 and later, mitigating the risk of exploitation. The second vulnerability, identified as CVE-2025-57714, impacts NetBak Replicator and is classified as an unquoted search path or element vulnerability. This flaw enables a local attacker with a user account to execute unauthorized code or commands, potentially leading to privilege escalation or further compromise of the system. The vulnerability in NetBak Replicator has been resolved in version 4.5.15.0807 and later. Both vulnerabilities have been assigned high CVSS scores, with the SQL injection in Qsync Central rated at 8.6 and the NetBak Replicator flaw at 8.5, reflecting their significant security impact. QNAP's security advisories recommend that users update to the latest versions of the affected products to ensure protection against these threats. The SQL injection vulnerability in Qsync Central is remotely exploitable, increasing its risk profile, while the NetBak Replicator issue requires local access. No specific details about exploitation in the wild have been reported, but the technical nature of the flaws underscores the importance of prompt patching. The vulnerabilities were reported to QNAP by security researchers and disclosed through official channels, including CVE databases and QNAP's own security team. The advisories do not list the exact affected product versions prior to the fixed releases, but users are urged to verify their software versions and apply updates as soon as possible. QNAP's response demonstrates a commitment to addressing security issues in a timely manner, with coordinated disclosure and clear communication to customers. Organizations using QNAP NetBak Replicator or Qsync Central should review their deployment, assess potential exposure, and implement the recommended updates. The vulnerabilities highlight the ongoing risk of both remote and local exploitation vectors in widely used backup and synchronization software. Security teams are advised to monitor for any signs of compromise and to follow best practices for user account management and software maintenance. The prompt release of patches and public disclosure of these vulnerabilities contribute to the overall security posture of QNAP's user base.
Mar 21, 2026
QNAP Fixes Unauthenticated Access in QVR Pro and Command Injection in QuNetSwitch
QNAP disclosed two high-severity vulnerabilities affecting its **QVR Pro** and **QuNetSwitch** products that could be exploited remotely without authentication or user interaction. **CVE-2026-22898** is a missing authentication for critical function flaw in QVR Pro, classified as `CWE-306`, that can let remote attackers gain access to the system. QNAP said the issue is fixed in **QVR Pro 2.7.4.14** and later and published advisory **QSA-26-07**. QNAP also addressed **CVE-2026-22897**, a `CWE-78` command injection flaw in **QuNetSwitch** that could allow remote attackers to execute arbitrary commands on vulnerable devices. The company said the bug was fixed in **QuNetSwitch 2.0.4.0415** and later. Both CVE records carry **CVSS v4.0** assessments indicating network-based exploitation with low attack complexity, no required privileges, and no user interaction, making prompt patching a priority for exposed systems.
Apr 15, 2026