QTS Security Update: QNAP Patches Seven Zero-Day Vulnerabilities Exposed at Pwn2Own

QNAP Fixes Seven Zero-Day Vulnerabilities Exploited in Pwn2Own Ireland 2025 Competition

During the recent Pwn2Own Ireland 2025 competition, security researchers were able to exploit seven zero-day vulnerabilities in QNAP network-attached storage (NAS) devices. These vulnerabilities have since been addressed by QNAP.

The vulnerabilities impacted QNAP’s QTS and QuTS hero operating systems, as well as their Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync software.

Security bugs were demonstrated by various teams at Pwn2Own, including the Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern.

QNAP recommends updating software to the latest version and changing all passwords to enhance security and protect against future vulnerabilities.

Software Versions with Fixed Vulnerabilities

• Hyper Data Protector 2.2.4.1 and later
• Malware Remover 6.6.8.20251023 and later
• HBS 3 Hybrid Backup Sync 26.2.0.938 and later
• QTS 5.2.7.3297 build 20251024 and later
• QuTS hero h5.2.7.3297 build 20251024 and later
• QuTS hero h5.3.1.3292 build 20251024 and later

To update the software, users can log in as an administrator and navigate to Control Panel > System > Firmware Update for Live Update.

For vulnerable apps, users should log in as an admin, open the App Center, search for the app to update, click “Update,” and confirm the action.

Regularly updating the system is crucial for security, and users can check the product support status for the latest updates available for their NAS model.

One year ago, QNAP patched two zero-day vulnerabilities from Pwn2Own Ireland 2024. Today, QuMagie 2.7.0 has been released with patches for a critical SQL injection vulnerability.

Stay informed on the latest security trends with our free cheat sheet on MCP best practices.

Download now to learn 7 best practices for securing LLMs and new services.

Download Now