QNAP patches seven zero-day vulnerabilities exploited at Pwn2Own Ireland 2025

QNAP has patched seven critical zero-day vulnerabilities in its network-attached storage operating systems and applications after their successful exploitation by security researchers at Pwn2Own Ireland 2025. 

Although CVSS scores remain pending for some entries, the zero-day status and Pwn2Own context classify them as critical severity, with potential for denial-of-service attacks as a precursor to data compromise

Vulnerabilties summary

• CVE-2025-62847 (tracked as ZDI-CAN-28353)
• CVE-2025-62848 (tracked as ZDI-CAN-28435)
• CVE-2025-62849 (tracked as ZDI-CAN-28436)
• CVE-2025-62840, CVE-2025-62842 - Path traversal vulnerabilities allow unauthorized backup access in this disaster recovery and data backup solution HBS 3 Hybrid Backup Sync
• CVE-2025-11837 vulnerable to command injection in its scanning engine in Malware Remover
• CVE-2025-59389 Additional vulnerabilities in QNAP's data protection software Hyper Data Protector

The flaws affect QNAP's QTS 5.2.x, QuTS hero h5.2.x, and QuTS hero h5.3.x operating systems, as well as the company's Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync applications. 

QNAP released patches October 24, 2025. Users are advised to upgrade to the following versions:

• Hyper Data Protector 2.2.4.1 and later
• Malware Remover 6.6.8.20251023 and later
• HBS 3 Hybrid Backup Sync 26.2.0.938 and later
• QTS 5.2.7.3297 build 20251024 and later
• QuTS hero h5.2.7.3297 build 20251024 and later
• QuTS hero h5.3.1.3292 build 20251024 and later

QNAP advises immediate password rotation and segmentation of NAS traffic using VLANs to limit lateral movement post-exploit.