Executive Summary
In March 2025, QNAP addressed seven critical zero-day vulnerabilities after security researchers demonstrated successful exploitation against their network-attached storage (NAS) devices during the Pwn2Own Ireland cybersecurity competition. The vulnerabilities allowed attackers to gain unauthorized access, compromise stored data, and potentially escalate privileges on affected systems. Once these flaws were publicly disclosed through the competition, QNAP developed and released urgent security patches to mitigate the risk to its global customer base, which includes enterprises and individuals relying on QNAP NAS for data storage.
This incident underscores the increasing attention given to storage infrastructure as an attack vector, especially as threat actors and security researchers focus on discovering and weaponizing new zero-day vulnerabilities. The Pwn2Own event continues to reveal hidden risks across common network appliances, prompting vendors to accelerate patch cycles and organizations to prioritize vulnerability management for critical data repositories.
Why This Matters Now
Widespread use of NAS devices in both enterprise and personal environments means unpatched zero-day flaws pose immediate security and compliance risks. The rapid disclosure cycle from public competitions like Pwn2Own forces organizations to address vulnerabilities proactively, or risk data breaches, extortion, and regulatory penalties.
Attack Path Analysis
Attackers exploited zero-day vulnerabilities in QNAP NAS devices to gain initial access. They then escalated privileges within the compromised system to obtain broader access. Leveraging internal connectivity, attackers moved laterally to other workloads or services on the same network. To maintain control, they established outbound connections for remote management or C2 communications. Sensitive data was exfiltrated over the network to external locations. Finally, attackers could have deployed destructive payloads or encrypted NAS contents, impacting data availability and business operations.
Kill Chain Progression
Initial Compromise
Description
Exploitation of multiple zero-day vulnerabilities in QNAP NAS devices allowed unauthorized external access.
Related CVEs
CVE-2025-62847
CVSS 9.8A remote code execution vulnerability in QNAP's QTS and QuTS hero operating systems allows unauthenticated attackers to execute arbitrary commands.
Affected Products:
QNAP QTS – 5.2.x
QNAP QuTS hero – h5.2.x, h5.3.x
Exploit Status:
proof of conceptCVE-2025-62848
CVSS 8.8A privilege escalation vulnerability in QNAP's QTS and QuTS hero operating systems allows authenticated attackers to gain elevated privileges.
Affected Products:
QNAP QTS – 5.2.x
QNAP QuTS hero – h5.2.x, h5.3.x
Exploit Status:
proof of conceptCVE-2025-62849
CVSS 9.1A vulnerability in QNAP's QTS and QuTS hero operating systems allows remote attackers to bypass authentication mechanisms.
Affected Products:
QNAP QTS – 5.2.x
QNAP QuTS hero – h5.2.x, h5.3.x
Exploit Status:
proof of conceptCVE-2025-11837
CVSS 9.8A vulnerability in QNAP's Malware Remover allows remote attackers to execute arbitrary code.
Affected Products:
QNAP Malware Remover – 6.6.8.20251023 and earlier
Exploit Status:
proof of conceptCVE-2025-59389
CVSS 9.8A vulnerability in QNAP's Hyper Data Protector allows remote attackers to execute arbitrary code.
Affected Products:
QNAP Hyper Data Protector – 2.2.4.1 and earlier
Exploit Status:
proof of conceptCVE-2025-62840
CVSS 9.8A vulnerability in QNAP's HBS 3 Hybrid Backup Sync allows remote attackers to execute arbitrary code.
Affected Products:
QNAP HBS 3 Hybrid Backup Sync – 26.2.0.938 and earlier
Exploit Status:
proof of conceptCVE-2025-62842
CVSS 9.8A vulnerability in QNAP's HBS 3 Hybrid Backup Sync allows remote attackers to execute arbitrary code.
Affected Products:
QNAP HBS 3 Hybrid Backup Sync – 26.2.0.938 and earlier
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation for Client Execution
Exploitation for Privilege Escalation
Abuse Elevation Control Mechanism
Impair Defenses
Endpoint Denial of Service
Modify Authentication Process
OS Credential Dumping
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Security Vulnerabilities Management
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Vulnerability Management & Patching
Control ID: Asset Management (Identify)
NIS2 Directive – Supply Chain & Security Measures
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Health Care / Life Sciences
QNAP NAS zero-day vulnerabilities expose patient data storage systems to exploitation, threatening HIPAA compliance and medical device security infrastructure.
Financial Services
Zero-day NAS exploits compromise financial data repositories and backup systems, risking regulatory violations and encrypted traffic security requirements.
Information Technology/IT
IT infrastructure relies heavily on NAS devices for data management, making zero-day vulnerabilities critical for network segmentation and threat detection capabilities.
Government Administration
Government NAS systems vulnerable to zero-day attacks threaten sensitive data integrity and compliance with federal cybersecurity frameworks and visibility requirements.
Sources
- QNAP fixes seven NAS zero-day flaws exploited at Pwn2Ownhttps://www.bleepingcomputer.com/news/security/qnap-fixes-seven-nas-zero-day-vulnerabilities-exploited-at-pwn2own/Verified
- Multiple Vulnerabilities in QTS, QuTS hero, and QuTScloud (PWN2OWN 2023) - Security Advisoryhttps://www.qnap.com/en-us/security-advisory/qsa-24-14Verified
- QNAP fixed multiple zero-days in its software demonstrated at Pwn2Own 2025https://securityaffairs.com/184396/hacking/qnap-fixed-multiple-zero-days-in-its-software-demonstrated-at-pwn2own-2025.htmlVerified
- QNAP fixes 7 critical NAS bugs discovered at Pwn2Own Ireland 2025https://www.redhotcyber.com/en/post/qnap-fixes-7-critical-nas-bugs-discovered-at-pwn2own-ireland-2025Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Implementing Zero Trust Segmentation, east-west traffic controls, real-time threat detection, and robust egress policy enforcement would have dramatically reduced attackers' ability to exploit, traverse, and exfiltrate from the compromised QNAP NAS environment. CNSF capabilities enable detection, containment, and prevention of unauthorized actions at each phase of the kill chain.
Control: Cloud Firewall (ACF)
Mitigation: Threats blocked at the network perimeter before exploit traffic reached NAS devices.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid detection of abnormal privilege elevation or process activity.
Control: Zero Trust Segmentation
Mitigation: Lateral movement blocked via strict identity-based network segmentation.
Control: Egress Security & Policy Enforcement
Mitigation: Malicious outbound and C2 traffic detected and blocked.
Control: Encrypted Traffic (HPE) and Inline IPS (Suricata)
Mitigation: Suspicious exfiltration attempts identified and mitigated at egress points.
Immediate visibility into malicious impact actions for rapid containment.
Impact at a Glance
Affected Business Functions
- Data Storage
- Backup Services
- Data Recovery
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive data stored on NAS devices due to unauthorized access.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to restrict NAS and internal workload access on a least-privilege basis.
- • Deploy Cloud Firewall (ACF) and egress security policies to block unauthorized inbound and outbound connections at all perimeters.
- • Enable real-time Threat Detection & Anomaly Response to identify privilege escalation and unusual process activity.
- • Leverage Inline IPS and encrypted traffic inspection to detect and stop known exploit and exfiltration patterns.
- • Ensure centralized visibility across multi-cloud and hybrid environments for rapid containment and incident response.
