CP
cyberpings
VulnerabilitiesHIGH

QNAP Vulnerabilities - Four Flaws Fixed After Pwn2Own 2025

SASecurity Affairs
CVE-2025-62843CVE-2025-62844CVE-2025-62845CVE-2025-62846
🎯

Basically, QNAP fixed serious security holes in their devices after hackers showed how to exploit them.

Quick Summary

QNAP has fixed four critical vulnerabilities revealed at Pwn2Own 2025. These flaws could allow attackers to execute code and access sensitive data. Timely patching is essential to protect your systems.

The Flaw

In March 2026, QNAP announced the resolution of four significant vulnerabilities showcased at Pwn2Own Ireland 2025. These vulnerabilities, identified as CVE-2025-62843 through CVE-2025-62846, could potentially allow attackers to execute code, access sensitive data, or disrupt system operations. The flaws were exploited by Team DDOS during the competition, where they successfully chained multiple bugs to gain root access, earning a reward of $100,000.

The vulnerabilities reflect a concerning trend in cybersecurity, where physical access, network exposure, and elevated privileges can lead to severe risks. For instance, CVE-2025-62843 involves a flaw in communication channel restrictions, allowing attackers with physical access to bypass controls. Meanwhile, CVE-2025-62844 lets attackers exploit weak authentication mechanisms over a local network.

What's at Risk

The implications of these vulnerabilities are significant. If left unaddressed, they could lead to unauthorized access to sensitive information, potentially compromising the integrity of an organization’s infrastructure. CVE-2025-62846, in particular, is critical as it involves an SQL injection vulnerability that could allow attackers with administrative credentials to execute unauthorized commands. This could severely compromise system control and stability.

Additionally, CVE-2025-62845 relates to improper handling of escape sequences, which can lead to unexpected system behavior. Organizations using QNAP devices must recognize that these vulnerabilities can escalate risks, particularly in environments where sensitive data is handled.

Patch Status

QNAP has released a patch in QuRouter version 2.6.3.009 to address these vulnerabilities. This patch is essential for users to implement promptly to mitigate the risks associated with these flaws. The company had previously patched seven zero-day vulnerabilities in November 2025, highlighting their commitment to security and the importance of timely updates.

Organizations are encouraged to regularly check for updates and apply patches as soon as they are available. Ignoring these updates can leave systems vulnerable to exploitation, especially in the wake of high-profile demonstrations like those at Pwn2Own.

Immediate Actions

For users of QNAP devices, immediate action is required to ensure security. Here are some key steps to take:

  • Update your devices: Ensure that all QNAP devices are running the latest firmware version, specifically QuRouter version 2.6.3.009.
  • Review security policies: Reassess your organization's security policies regarding device access and authentication mechanisms.
  • Monitor for unusual activity: Keep an eye on network traffic and device behavior for any signs of exploitation or unauthorized access.

By taking these proactive measures, organizations can significantly reduce their risk and enhance their overall security posture against potential threats.

🔒 Pro insight: The vulnerabilities exploited at Pwn2Own underscore the need for robust security practices and regular updates in networked environments.

Original article from

Security Affairs · Pierluigi Paganini

Read Full Article

Share

Related Pings

HIGHVulnerabilities

Vulnerabilities - Lightning-Fast Exploits Demand Urgent Patching

Cyber attackers are exploiting vulnerabilities faster than ever. Security teams must patch urgently and strengthen identity controls to protect against breaches. The landscape is changing rapidly, and proactive measures are essential.

The Register Security·
CRITICALVulnerabilities

CVE-2026-21992 - Oracle Fixes Critical RCE Vulnerability

Oracle has patched a critical vulnerability in its Fusion Middleware suite. This flaw could allow hackers to execute code remotely. Immediate action is necessary to protect sensitive systems.

Arctic Wolf Blog·
HIGHVulnerabilities

CVE-2026-3055 - Critical Unauthenticated Memory-Read Flaw

Citrix has released a critical patch for a vulnerability in its NetScaler ADC and Gateway. Unauthenticated attackers could exploit this flaw to read sensitive memory data. Affected users must upgrade immediately to protect their systems.

Arctic Wolf Blog·
HIGHVulnerabilities

CVE-2026-3055 - Critical Citrix NetScaler Vulnerability Alert

Citrix has revealed a critical vulnerability, CVE-2026-3055, affecting its NetScaler products. Organizations using these systems are at risk of data leaks. Immediate action is required to secure sensitive information from potential attacks.

Rapid7 Blog·
HIGHVulnerabilities

Vulnerabilities in Citrix NetScaler - Update Recommended

Citrix has revealed multiple vulnerabilities in its NetScaler products. These flaws could lead to serious data breaches and session mix-ups. Immediate updates are essential to protect sensitive information.

CERT-EU Security Advisories·
HIGHVulnerabilities

NetScaler ADC Vulnerabilities - Urgent Patches Released

Critical vulnerabilities have been found in NetScaler ADC and Gateway software. Organizations must act quickly to apply patches and protect their systems from potential remote attacks. Unpatched systems could face serious security risks.

Cyber Security News·