QNAP Fixed Four Vulnerabilities Demonstrated at Pwn2Own Ireland 2025

The annual Pwn2Own competition continues to serve as a real‑world proving ground for security research, and the 2025 Ireland edition put QNAP’s networking gear under the spotlight. Team DDOS demonstrated a chain of four vulnerabilities in QNAP’s QuRouter SD‑WAN devices, earning a $100,000 bounty for achieving root privileges. The flaws spanned physical‑access bypass, weak LAN authentication, an SQL injection with admin credentials, and improper handling of escape sequences. Such a multi‑vector attack illustrates how attackers can combine seemingly minor bugs to compromise entire network infrastructures. The demonstration also highlighted the growing relevance of SD‑WAN security in hybrid cloud environments.

009 that patches CVE‑2025‑62843 through CVE‑2025‑62846. The update closes the privilege‑escalation path, strengthens LAN authentication, and sanitizes command parsing to block the escape‑sequence abuse. In parallel, the company issued patches for seven additional zero‑day flaws affecting its QTS, QuTS‑hero, Hyper Data Protector, Malware Remover, and HBS 3 backup software, consolidating security fixes across both storage and networking portfolios. Customers are advised to reboot devices after installation to ensure the patches take effect.

For enterprises that rely on QNAP appliances for storage, backup, or SD‑WAN routing, the episode underscores the importance of rigorous patch management and layered defenses. Physical security controls, network segmentation, and least‑privilege account policies can mitigate the impact of any single flaw that slips through. Moreover, the public disclosure of a sizable bounty signals that vendors are incentivizing responsible research, which ultimately raises the overall security baseline. Organizations should monitor QNAP advisories closely and apply the latest firmware to safeguard critical data and maintain operational continuity. Adopting automated vulnerability scanning can further reduce exposure to emerging exploits.