At a glance: QNAP patched critical NAS flaws, some of which were revealed at Pwn2Own 2025, that could enable remote code execution and unauthorized access. Field Effect MDR users are automatically notified if affected systems are detected and should review their AROs for patch verification steps and remediation guidance.
On November 8, 2025, QNAP released security updates addressing multiple vulnerabilities, several of which were exploited during the Pwn2Own Ireland 2025 hacking competition in October 2025.
These flaws affect key components of QNAP’s network-attached storage (NAS) ecosystem, deployed widely across enterprise and small business environments for centralized data storage, backup, and recovery.
These proprietary operating systems for NAS devices were affected by three vulnerabilities tracked as:
These flaws stem from input validation and memory corruption issues in Common Gateway Interface (CGI) handlers, web server components that process requests using the CGI standard.
CGI handlers manage web-based administrative interfaces and services. Because they often run with elevated privileges and are exposed via the NAS web interface, the vulnerabilities allow for threat actors to execute malicious code, escalate privileges, or crash services.
HBS 3 is QNAP’s backup and disaster recovery solution, supporting local, remote, and cloud-based backups.
Two critical flaws, tracked as CVE-2025-62840 and CVE-2025-62842, could allow unauthorized access to remote backup targets, including other NAS devices, servers, or cloud services. If exploited, attackers could access sensitive off-device data or move laterally across a network, depending on how those systems are configured and secured.
Malware Remover is a built-in QNAP utility designed to detect and remove known malware from NAS devices. It is part of QNAP’s security suite and is often deployed in environments with internet-facing NAS systems.
Version 6.6.x contained one code injection flaw, tracked as CVE-2025-11837, which could allow execution of malicious commands under the guise of a trusted security process in this tool. The vulnerability is patched in version 6.6.8.20251023.
Hyper Data Protector is QNAP’s agentless backup solution for VMware and Hyper-V environments. It enables centralized backup of virtual machines to QNAP NAS devices, supporting incremental backups and instant recovery.
Version 2.2.x was impacted by CVE-2025-59389, a critical flaw patched in version 2.2.4.1. The issue involved hardcoded credentials and an injection flaw, which could allow unauthorized access and manipulation of backup configurations or data.
Official CVSS scores have not been published but, based on their exploitation during live demonstrations, these flaws present a credible risk of future attacks. Left unpatched, they could enable remote code execution, unauthorized access, and full system compromise.
QNAP recommends updating all affected components to the latest versions. After patching, users are advised to change all passwords. Where patching is delayed, isolating NAS interfaces from public networks and enforcing strong authentication controls can reduce exposure.
Field Effect’s Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in software like QNAP. Field Effect MDR users are automatically notified if vulnerabilities are detected in their environment and are encouraged to review these AROs for remediation guidance, including patch verification steps and credential hygiene recommendations.