Critical QNAP NAS Zero-Day Flaws Exploited at Pwn2Own — Fixes Now Available

[johny899]

Hello! If you have a QNAP NAS (those little boxes that hold all of your files at home or at work), you are going to want to pay attention to this. QNAP has just patched seven severe security vulnerabilities, and the hackers demonstrated how they could use those vulnerabilities at the Pwn2Own hacking competition. Pretty insane, right? I own a QNAP device, so reading this made me think at once, "I better update my device right now!"

What Happened​

The Discovery

During the Pwn2Own Ireland 2025 competitions, a group of security researchers assessed the QNAP devices and disclosed seven zero-day vulnerabilities. A zero-day means that the company didn't know that there was a zero-day vulnerability when the hackers demonstrated the vulnerability - therefore, there was no patch.

The vulnerabilities were in:

• QNAP's core systems - QTS and QuTS hero
• Hyper Data Protection app
• Malware Remover app
• HBS 3 Hybrid Backup Sync app

Essentially, the vulnerabilities exposed the NAS to NTFS file system, file management, privilege escalation, and remote code execution if you hadn't patched your system yet - pretty wild!

Why It’s Important​

If your NAS is online or accessible from the internet, these bugs may allow attackers to mess with your backups, or possibly even steal your data! I know many people who set up their NAS once and then never tinker with it again. This is risky! Hackers love to find devices that haven’t been touched or updated in years!

What QNAP Did (and What You Should Do)​

Here’s the good news: Dell saw the news and put out updates for everything! Patches were made available for:

• QTS 5.2.7.3297 and QuTS hero h5.2.7.3297 / h5.3.1.3292
• Hyper Data Protector 2.2.4.1 or later
• Malware Remover 6.6.8.20251023 or later
• HBS 3 Backup Sync 26.2.0.938 or later

What To Do Right Now​

Here’s the quick checklist I followed personally:

• Log into your NAS - Control Panel - Firmware Update - Check for Update.
• App Center - update all apps (especially ones mentioned above).
• Change your passwords, especially if you haven’t changed in a while.
• Turn off remote access (if you can), unless you really need it or connect through a VPN.
• Enable auto-updates, so you don’t have to remember next time.

Doing all these will take you 10 minutes, tops, and is 100% worth it to prevent disasters later!

Why This Will Wake You Up​

If you think your NAS is safe because it’s sitting there in the corner — think again! These bugs were both zero-days, as no one knew they existed until experts exploited them in the Pwn2Own contest. If the good guys can break in, so can the bad guys! So YES, updates matter now more than ever.

Endnotes​

So here’s the bottom line: QNAP patched seven serious security bugs, which hackers used in the $1M contest. If you have a QNAP NAS, update now, change your passwords, and lock down remote access!