Severe QNAP NAS Zero-Day Flaws Patched After Pwn2Own 2025: What You Should Know

QNAP has released security updates addressing seven zero-day vulnerabilities discovered and demonstrated during Pwn2Own Ireland 2025. The flaws affect QTS, QuTS hero, and several QNAP applications, including Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync.

This blog post provides a summary of the recent QNAP NAS zero-day vulnerabilities, their technical details, and the recommended mitigation steps.

What Are the QNAP Vulnerabilities Found at Pwn2Own 2025?

Seven distinct zero-day vulnerabilities were exploited during the Pwn2Own competition, affecting core operating systems and apps used across QNAP NAS devices.

The identified CVEs are:

• CVE-2025-62847, CVE-2025-62848, CVE-2025-62849 – Impacting QTS and QuTS hero operating systems.
• CVE-2025-11837 – Affecting the Malware Remover app.
• CVE-2025-59389 – Affecting Hyper Data Protector.
• CVE-2025-62840, CVE-2025-62842 – Impacting HBS 3 Hybrid Backup Sync.

Each flaw was presented live by research teams including Summoning Team, DEVCORE, Team DDOS, and CyCraft.

What Technical Weaknesses Were Involved?

The main issues stemmed from improper input validation and memory management errors within CGI handlers. In particular, stack-based buffer overflows and use-after-free vulnerabilities allowed attackers to inject commands via the quick.cgi component.

In the context of Malware Remover and HBS 3, these weaknesses extended to path traversal and command injection, which could expose backup files or compromise system scans.

Such attack paths are especially dangerous for enterprises using NAS as centralized file repositories, as they could serve as an entry point for supply-chain attacks or data extortion.

How Severe Are These Vulnerabilities?

According to the official QNAPadvisories, all seven of the vulnerabilities are rated critical. Successful exploitation can lead to the following outcomes:

• Unauthenticated Remote Code Execution (RCE) on affected NAS devices via kernel-level and CGI handler bugs in QTS/QuTS hero.
• Privilege escalation from a low-privileged context to full administrative or root access.
• Complete device takeover, including the ability to read, modify, encrypt, or delete files stored on the NAS.
• Unauthorized access to backup data and jobs in HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842) through path traversal, potentially exposing or tampering with backup content.
• Command execution via the Malware Remover component (CVE-2025-11837), allowing attackers to run arbitrary commands in the context of the security tool, disable protections, or deploy additional payloads.
• Compromise of Hyper Data Protector (CVE-2025-59389), which may impact the confidentiality and integrity of backup tasks and replicated data, depending on how the service is deployed.

In some exploit chains, attackers can also trigger Denial of Service (DoS) conditions by crashing services or destabilizing the system, using outages as a precursor to data theft or extortion. When chained, these bugs enable an external attacker to bypass authentication and operate on the NAS as if they were a trusted administrator.

Strengthen Your Defense with SOCRadar

Get ahead of the next zero-day. With SOCRadar’s Cyber Threat Intelligence module, security teams receive actionable vulnerability intelligence with real-time exploit alerts, contextual risk scoring, and vendor patch tracking – all in one unified view.

The Attack Surface Management (ASM) module complements it by mapping exposed assets and identifying which systems are affected by new vulnerabilities, allowing faster remediation and reduced exposure time.

SOCRadar’s Vulnerability Intelligence

How Can Users Protect Their QNAP NAS Devices Now?

QNAP released patched builds, which addresses all affected components. Users should ensure they are running the following versions, or later:

• QTS 5.2.7.3297
• QuTS hero h5.2.7.3297 / h5.3.1.3292
• Malware Remover 6.6.8.20251023
• Hyper Data Protector 2.2.4.1
• HBS 3 Hybrid Backup Sync 26.2.0.938

Beyond immediate patching, QNAP recommends:

• Changing administrator passwords post-update.
• Segmenting NAS traffic using VLANs to prevent lateral movement.
• Reviewing access logs for suspicious CGI requests.
• Enabling Live Update to automate future patch deployments.

Security teams should also integrate intrusion detection or endpoint monitoring to spot exploitation attempts early.

Additional Security Alert: runC Container Escape Vulnerabilities (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881)

While the QNAP issues focus on storage appliances, another recent disclosure points to broader infrastructure risks. Three serious flaws have been identified in the runC container runtime – the engine powering Docker and Kubernetes – raising concerns about container isolation integrity.

The vulnerabilities (CVE-2025-31133, CVE-2025-52565, CVE-2025-52881) each carry a CVSS 8.2 rating and could allow container breakouts, granting unauthorized write access to host systems.

Discovered by SUSE engineer Aleksa Sarai, the bugs involve unsafe mount and symlink handling during container initialization. Under specific conditions, writes from the container can be redirected to host paths such as /proc, potentially leading to privilege escalation.

While no active exploitation has been observed, prompt patching is advised to maintain container isolation integrity.

Vulnerability card of CVE-2025-31133 (SOCRadar Vulnerability Intelligence)

Key points:

• Affects all versions of runC prior to 1.2.8, 1.3.3, and 1.4.0-rc.3.
• Exploitation requires launching containers with customized mount configurations, such as crafted images or Dockerfiles.

According to Sysdig’s analysis, administrators should enable user namespaces, use rootless containers, and monitor for unusual symlink behavior as preventative measures.