QNAP fixed multiple zero-days in its software demonstrated at Pwn2Own 2025

QNAP patched seven zero-days used at Pwn2Own 2025 affecting QTS, QuTS hero, Hyper Data Protector, Malware Remover, and HBS 3.

Taiwanese vendor QNAP patched seven zero-day vulnerabilities exploited at Pwn2Own Ireland 2025. The flaws affected QTS, QuTS hero, Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync.

The vulnerabilities addressed by the company are:

• CVE-2025-62847 – CVE-2025-62848 – CVE-2025-62849 in QNAP’s QTS and QuTS hero operating systems;
• CVE-2025-11837 in Malware Remover;
• CVE-2025-59389 in Hyper Data Protector;
• CVE-2025-62840 – CVE-2025-62842 in HBS 3 Hybrid Backup Sync software.

The vendor recommends that customers update the software to the latest version.

“To secure your device, we recommend regularly updating your system to the latest version to benefit from vulnerability fixes.” reads the advisory published by the company.

Below are the software versions that fix these vulnerabilities:

• Hyper Data Protector 2.2.4.1 and later
• Malware Remover 6.6.8.20251023 and later
• HBS 3 Hybrid Backup Sync 26.2.0.938 and later
• QTS 5.2.7.3297 build 20251024 and later
• QuTS hero h5.2.7.3297 build 20251024 and later
• QuTS hero h5.3.1.3292 build 20251024 and later

White-hat hackers of Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern demonstrated the above vulnerabilities during the last Pwn2Own 2025 hacking competition.

In October 2024, QNAP addressed two vulnerabilities, tracked as CVE-2024-50388 and CVE-2024-50387, demonstrated at the Pwn2Own Ireland 2024.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Pwn2Own)