QNAP addressed seven zero-day vulnerabilities exploited at Pwn2Own Ireland 2025, impacting its NAS operating systems. Identified vulnerabilities, including CVE-2025-62847 and CVE-2025-62848, enable remote code execution and privilege escalation attacks. These vulnerabilities, demonstrated by teams such as Summoning Team and DEVCORE, allowed unauthenticated attackers to achieve full system takeovers. The exploits highlight serious kernel and web interface weaknesses leading to potential data compromises.
QNAP released firmware updates on October 24, 2025, to mitigate these threats with enhanced input sanitization and kernel patches. Users of affected OS versions, including QTS 5.2.x and QuTS hero h5.2.x, need to upgrade promptly to prevent exploitation. Additional vulnerabilities impacting integrated applications have the potential to facilitate supply-chain attacks, underscoring the importance of strict security protocols. The incident underlines the effectiveness of bug bounty programs in fostering better security practices within the tech community.
👉 Pročitaj original: Cyber Security News
