🚨 CRITICALvulnerabilityNov 9, 2025

QNAP Zero-Day Vulnerabilities - Seven NAS Flaws Patched

Category:Threat Alerts / Vulnerabilities & Exploits

QNAP zero-day vulnerabilities uncovered at Pwn2Own 2025 highlight how NAS appliances can quietly become critical points of failure in enterprise storage architectures. Researchers at the Cork event chained seven previously unknown flaws, including CVE-2025-62847, CVE-2025-62848 and CVE-2025-62849 alongside ZDI-CAN entries, to achieve remote code execution and privilege escalation against QTS 5.2.x and QuTS hero h5.2.x and h5.3.x. Exploits target CGI handlers such as quick.cgi with stack-based buffer overflows and use-after-free conditions, allowing unauthenticated attackers to run arbitrary shell commands on uninitialized and initialized devices. Beyond core OS bugs, related issues in HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842) and Malware Remover (CVE-2025-11837) expose backup paths and command injection vectors, undermining both data protection and security tooling. QNAP has released firmware updates dated October 24, 2025, including QTS 5.2.7.3297 build 20251024 and QuTS hero 5.3.1.3292 for affected branches, but many NAS units remain unmanaged in edge sites or small offices. For enterprises relying on QNAP for shared file stores, backups, or lab infrastructure, these vulnerabilities translate into potential supply-chain style compromise of downstream systems, lateral movement opportunities across VLANs, and silent data exfiltration from devices often excluded from regular patch cycles.

🎯CORTEX Protocol Intelligence Assessment

Business Impact: QNAP zero-day vulnerabilities give determined attackers a direct path to compromise file shares, backups, and project repositories that frequently hold crown-jewel data outside traditional server hardening programs. A single unpatched NAS can enable ransomware staging, data theft, and stealthy persistence that undermines disaster recovery assumptions and regulatory reporting obligations. Technical Context: The Pwn2Own chain abuses memory corruption bugs in CGI components like quick.cgi to gain unauthenticated remote code execution, then escalates privileges via additional kernel and application flaws across QTS and QuTS hero branches. Related CVEs in HBS 3 and Malware Remover expand the attack surface to backup pipelines and security tooling, demonstrating that ancillary apps on NAS devices must be patched and monitored as rigorously as core firmware.

⚡Strategic Intelligence Guidance

Identify and inventory all QNAP NAS devices, mapping QTS and QuTS hero versions, and immediately apply the October 24, 2025 firmware builds or later across production and lab environments.
Segment NAS management and data traffic onto dedicated VLANs with strict firewall rules, preventing direct internet exposure and limiting lateral movement from compromised appliances.
Integrate NAS logs into centralized SIEM monitoring, creating detections for anomalous CGI requests, unexpected shell command execution, and new outbound connections from storage subnets.
Treat NAS applications such as backup tools and antimalware add-ons as first-class assets in patch management, with explicit ownership, maintenance windows, and validation testing.

CVEs

CVE-2025-62847CVE-2025-62848CVE-2025-62849CVE-2025-62840CVE-2025-62842CVE-2025-11837

Vendors

QNAPZero Day Initiative

Threats

QNAP NAS zero-day RCEPwn2Own Ireland 2025 exploits

Targets

QTS 5.2.xQuTS hero h5.2.xQuTS hero h5.3.xQNAP NAS devices