QNAP Zero-Days - Pwn2Own NAS Exploits Patched in QTS and QuTS hero

QNAP patched seven zero-day vulnerabilities showcased at Pwn2Own Ireland 2025 that affected QTS, QuTS hero, Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync. These flaws allowed remote code execution and privilege escalation, giving attackers full control of affected NAS appliances. Exploits demonstrated by Summoning Team, DEVCORE, Team DDOS, and a CyCraft intern leveraged unsafe command handling and memory corruption in NAS firmware and backup tools, corresponding to MITRE ATT&CK techniques T1190 (Exploit Public-Facing Application) and T1068 (Privilege Escalation). The vulnerabilities impacted QTS 5.2.x and QuTS hero h5.2.x/h5.3.x, as well as associated applications, making unpatched NAS devices vulnerable to compromise via internet-exposed management interfaces. Many organizations deploy QNAP devices in branch offices or backup environments where patching cycles are slower, heightening risk. Attackers can abuse these flaws to steal data, encrypt backups, or use the NAS as a launchpad for ransomware and lateral movement. Unpatched QNAP NAS systems represent a severe business continuity and data protection risk, especially for enterprises storing regulated or intellectual property data. Compromise may result in data loss, downtime, and regulatory penalties under GDPR or HIPAA if backups or sensitive files are exfiltrated. Because Pwn2Own vulnerabilities are quickly weaponized by threat actors, exploitation attempts in the wild are expected. Administrators should upgrade to QTS 5.2.7.3297, QuTS hero h5.3.1.3292, and newer versions of Hyper Data Protector, Malware Remover, and HBS 3. Access to NAS management interfaces should be restricted to internal or VPN-only networks, with logging integrated into SIEM for detection of anomalous activities such as new backup jobs or unauthorized configuration changes.