QNAP, a prominent manufacturer of Network Attached Storage (NAS) devices, has issued a series of critical security updates following the discovery of eight severe vulnerabilities, seven of which were publicly demonstrated at the Pwn2Own 2025 competition. These flaws collectively enable remote attackers to gain complete control over affected NAS systems.
The revelations, detailed in recent security advisories, underscore a persistent challenge in securing consumer and enterprise-grade data storage solutions. For more insights on robust protection strategies, consider reading about Cybersecurity Overhaul: Thales and Imperva Unite for Integrated Security. The vulnerabilities span core operating systems such as QTS and QuTS hero, alongside critical applications including HBS 3 Hybrid Backup Sync and Malware Remover, prompting an urgent call for users to update their devices immediately.
During the Pwn2Own 2025 event held in Cork, Ireland, several research teams successfully showcased methods to remotely compromise fully patched QNAP systems. These exploits targeted crucial software components, including multiple vulnerabilities in HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842) and Malware Remover (CVE-2025-11837). Additionally, critical weaknesses were identified within the device’s underlying operating systems, QTS and QuTS hero (CVE-2025-62847, CVE-2025-62848, CVE-2025-62849).
Separately, an eighth critical vulnerability, an SQL injection flaw identified as CVE-2025-52425, was reported in QuMagie, QNAP’s photo management application. This particular flaw allows a remote attacker to execute arbitrary commands and code on the compromised NAS system, independent of the Pwn2Own demonstrations.
QNAP has released patched versions to address these issues, urging users to update affected software without delay. Recommended updates include HBS 3 Hybrid Backup Sync to version 26.2.0.938 or later, Malware Remover to 6.6.8.20251023 or later, QTS and QuTS hero to versions such as QTS 5.2.7.3297 build 20251024 or later, and QuMagie to 2.7.0 or later. The company also advises changing all passwords for increased security.
The urgency of these updates is amplified by past incidents where vulnerabilities in QNAP devices have been leveraged in widespread ransomware attacks, resulting in the encryption of user files and significant data loss. Understanding the evolving landscape of cyberthreats, including sophisticated malware like the SleepyDuck Malware, is crucial. As networked storage continues to be a cornerstone of both personal and professional digital infrastructure, prompt adherence to security advisories and regular system maintenance remains essential to mitigate evolving cyberthreats.