Red Hot Cyber, il blog italiano sulla sicurezza informatica
Red Hot Cyber
Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Select language
Italian Spanish
Search
Redhotcyber Banner Sito 320x100px Uscita 101125
970x120
QNAP fixes 7 critical NAS bugs discovered at Pwn2Own Ireland 2025

QNAP fixes 7 critical NAS bugs discovered at Pwn2Own Ireland 2025

Redazione RHC : 10 November 2025 07:24

QNAP has fixed seven critical zero-day vulnerabilities in its Network Attached Storage (NAS) operating systems after a group of researchers successfully exploited them at Pwn2Own Ireland 2025 , held in Cork from October 20 to 22.

In a controlled environment, the demonstrated exploits expose kernel-level vulnerabilities and web interface flaws that could allow unauthenticated attackers to compromise the device and exfiltrate data stored there.

To find the flaws, Summoning Team, DEVCORE, Team DDOS, and a CyCraft intern chained these zero-days together to bypass authentication and gain complete system control over QNAP NAS devices.

These flaws, identified as CVE-2025-62847, CVE-2025-62848, CVE-2025-62849, allow remote code execution (RCE) and privilege escalation attacks against QTS 5.2.x, QuTS hero h5.2.x, and QuTS hero h5.3.x.

The primary operating system vulnerabilities involve improper input validation, leading to buffer overflows and use-after-free errors in CGI handlers, making it easier to inject arbitrary commands without user privileges.

Historical QNAP issues, such as heap overflows, served as the starting point for these techniques, which have evolved into zero-click RCE attacks in newer firmware. The Zero Day Initiative (ZDI) NAS category offered over $150,000 in prizes, contributing to a total prize pool of $792,750 for 56 unique vulnerabilities discovered by hackers.

QNAP fixed these issues in firmware updates released on October 24, 2025.

QTS 5.2.x users are required to update to build 5.2.7.3297 build 20251024 or later, which integrates more robust input sanitization and kernel updates to prevent overflow exploits. QuTS hero h5.2.x follows the same build, while h5.3.x requires build 5.3.1.3292 build 20251024 or later, which addresses ZFS-specific integration flaws that amplified RCE risks in hybrid storage configurations.

While some CVSS scores are still pending, the bugs are considered critical due to their zero-day status and Pwn2Own context; this makes them potentially dangerous to service availability, increasing the risk of a subsequent data breach.

Immagine del sitoRedazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli