CP
cyberpings
VulnerabilitiesHIGH

QNAP Patches Vulnerabilities Exploited at Pwn2Own Contest

SWSecurityWeek
CVE-2025-62843CVE-2025-62844CVE-2025-62845CVE-2025-62846QNAP
🎯

Basically, QNAP fixed four security holes that hackers used in a competition.

Quick Summary

QNAP has patched four vulnerabilities exploited during the Pwn2Own hacking contest. These flaws could allow attackers to execute unauthorized code. Users must update their devices to protect against potential exploits. This is critical for maintaining device security.

The Flaw

In a recent announcement, QNAP revealed patches for four significant vulnerabilities discovered during the Pwn2Own hacking contest in October 2025. These flaws, tracked as CVE-2025-62843 to CVE-2025-62846, primarily affect the company's SD-WAN routers. The vulnerabilities allow attackers to gain unauthorized access, execute malicious code, or cause unexpected behavior in the devices. The first vulnerability requires physical access to exploit, while the second can be targeted over the local network to access sensitive information.

The last two vulnerabilities are particularly concerning as they can be exploited by attackers with administrative privileges. These flaws enable unauthorized code execution and can lead to unexpected device behavior. The Team DDOS, which demonstrated these exploits at the contest, successfully chained multiple bugs to gain root privileges, earning a whopping $100,000 for their efforts.

What's at Risk

The implications of these vulnerabilities are significant. If left unpatched, they could allow attackers to gain control over vulnerable devices, leading to potential data breaches or service disruptions. The ability to execute unauthorized commands poses a severe risk to organizations relying on QNAP's technology for their networking needs. As these vulnerabilities were demonstrated in a high-profile hacking contest, it raises concerns about their potential exploitation in the wild.

QNAP has urged users to update their devices to the latest versions to mitigate these risks. The patches not only address the vulnerabilities demonstrated at Pwn2Own but also include fixes for other critical issues in their product lineup, such as QuNetSwitch and QVR Pro.

Patch Status

QNAP has rolled out updates for the affected products, including QuRouter version 2.6.3.009 and QuNetSwitch versions 2.0.4.0415 and 2.0.5.0906. These updates are crucial as they resolve the vulnerabilities that could lead to arbitrary code execution and unauthorized access. Users are strongly advised to implement these patches as soon as possible to safeguard their devices against potential attacks.

In addition to the patches for the vulnerabilities exploited at Pwn2Own, QNAP has addressed medium-severity vulnerabilities in other products, such as the Media Streaming Add-on and QuFTP Service. While these vulnerabilities do not carry the same level of risk, they can still lead to crashes or data leaks if not addressed.

Immediate Actions

To protect your systems, take the following steps:

  • Update your QNAP devices to the latest firmware versions immediately.
  • Monitor your network for any unusual activity that could indicate an attempted exploit.
  • Review your security policies to ensure that they account for the risks associated with these vulnerabilities.

By staying proactive and implementing these updates, users can significantly reduce their risk of falling victim to potential exploits stemming from these vulnerabilities. The swift action taken by QNAP in addressing these issues highlights the importance of maintaining robust security practices in the face of evolving threats.

🔒 Pro insight: The rapid patching following Pwn2Own highlights the need for organizations to prioritize timely updates to mitigate exploitation risks.

Original article from

SecurityWeek · Ionut Arghire

Read Full Article

Share

Related Pings

HIGHVulnerabilities

Xbox One Hacked - Unpatchable Bliss Exploit Revealed

The Xbox One has been hacked using a voltage glitch exploit. This unpatchable Bliss exploit allows full control over the console. Gamers and developers face serious security risks as a result.

Schneier on Security·
MEDIUMVulnerabilities

Microsoft Fixes Windows Update Bug - Reliability Promised

Microsoft has fixed a bug in a recent Windows update that caused sign-in issues for users. This fix comes after a promise for improved reliability. Users are encouraged to apply the latest updates to avoid further problems.

The Register Security·
CRITICALVulnerabilities

Craft CMS Vulnerability - CISA Warns of Active Exploitation

CISA has warned of a critical vulnerability in Craft CMS that is actively being exploited. Organizations using this CMS must patch immediately to avoid severe risks. The flaw allows attackers to execute code remotely, compromising sensitive data and system integrity.

Cyber Security News·
CRITICALVulnerabilities

Oracle Identity Manager - Emergency Fix for Critical RCE

Oracle has released a critical patch for a serious vulnerability in Identity Manager. This flaw allows attackers to execute code remotely without authentication. Organizations must act quickly to secure their systems and prevent exploitation.

Help Net Security·
CRITICALVulnerabilities

Vulnerabilities - CISA Orders Urgent Patch for Cisco Flaw

CISA has ordered federal agencies to patch a critical Cisco flaw exploited by ransomware. This vulnerability allows remote code execution, posing severe risks. Swift action is essential to safeguard systems.

Infosecurity Magazine·
HIGHVulnerabilities

Vulnerabilities in IP-KVM Devices - Critical Security Risks

Recent vulnerabilities in low-cost IP-KVM devices pose serious risks. Attackers can gain BIOS-level control, bypassing security measures. Organizations must act quickly to secure their networks.

Cyber Security News·