QNAP has fixed seven zero-day vulnerabilities that security researchers exploited to hack QNAP network-attached storage (NAS) devices during the Pwn2Own Ireland 2025 competition.
The flaws impact QNAP's QTS and QuTS hero operating systems (CVE-2025-62847, CVE-2025-62848, CVE-2025-62849) and the company's Hyper Data Protector (CVE-2025-59389), Malware Remover (CVE-2025-11837), and HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842) software.
QNAP said in advisories published on Friday that the security bugs were demonstrated at Pwn2Own by the Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern.
To patch these security flaws, QNAP recommends updating software to the latest version and changing all passwords for increased security.
QNAP has fixed all these vulnerabilities in the following software versions:
- Hyper Data Protector 2.2.4.1 and later
- Malware Remover 6.6.8.20251023 and later
- HBS 3 Hybrid Backup Sync 26.2.0.938 and later
- QTS 5.2.7.3297 build 20251024 and later
- QuTS hero h5.2.7.3297 build 20251024 and later
- QuTS hero h5.3.1.3292 build 20251024 and later
Users who want to update their OS to log in to QTS or QuTS Hero as an administrator should go to Control Panel > System > Firmware Update and click "Check for Update" under Live Update.
