Critical RCE Zero-Days Patched: QNAP Fixes 7 Flaws Exposed at Pwn2Own 2025
The Taiwanese company QNAP has released updates for its systems addressing seven zero-day vulnerabilities unveiled by participants at Pwn2Own Ireland 2025. The flaws affected the company’s proprietary operating systems QTS and QuTS hero, as well as several key services — Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync. All vulnerabilities were discovered during live demonstrations by researchers from Summoning Team, DEVCORE, Team DDOS, and an intern from CyCraft Technology.
According to the official advisory, patches have been issued for the QTS and QuTS hero operating systems, the Malware Remover module, the Hyper Data Protector application, and the HBS 3 Hybrid Backup Sync utility. While the technical details of the exploits have not yet been disclosed, all were classified as critical, enabling remote execution of arbitrary code on vulnerable devices. To safeguard their systems, QNAP strongly urges users to install the latest software versions containing these security fixes without delay.
The company also reminded users of the importance of regularly updating NAS firmware to ensure ongoing protection through the most recent security patches. QNAP emphasized that this incident continues its long-term initiative to address vulnerabilities identified during previous Pwn2Own competitions. In October 2024, the company had already mitigated several flaws showcased by researchers at Pwn2Own Ireland 2024.
QNAP, a frequent participant in such events, views them as an essential means of strengthening the resilience of its NAS ecosystem — offering security researchers a controlled environment to test protective mechanisms and publicly demonstrate weaknesses that might otherwise go unnoticed.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
