Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Pwn2Own Ireland 2025 zero-day demonstrations security flaw

Vulnerability
First reported
Last updated
Happening score
H score 45
1 unique sources, 3 articles

Summary

Hide ▲

QNAP patched seven zero-day vulnerabilities after researchers exploited them at Pwn2Own Ireland 2025 against QNAP NAS devices. The flaws affect QTS, QuTS hero, Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync, with CVEs including CVE-2025-62847, CVE-2025-62848, CVE-2025-62849, CVE-2025-59389, CVE-2025-11837, CVE-2025-62840, and CVE-2025-62842. QNAP said the bugs were demonstrated by Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern. The vendor recommends updating to the latest versions and changing all passwords.

Related Happenings

SilentGlass launch as a monitor-connection protection security device

Security Tool/Service
First: 22.04.2026 18:00 Last: 22.04.2026 18:00 Sources 1

About this happening: The **UK National Cyber Security Centre** has released **SilentGlass**, a plug-and-play device that blocks unexpected or malicious signals between **HDMI** or **display port** con...

Open Happening

Operation Triangulation updated iPhone espionage campaign

Campaign
First: 26.03.2026 15:10 Last: 26.03.2026 15:10 Sources 1

About this happening: The **Operation Triangulation** espionage lineage has resurfaced through **Coruna**, extending **zero-click iPhone** targeting to newer **A17** and **M3** devices and **iOS 17.2**...

Open Happening

DarkSword iPhone exploit chain exploitation wave

Exploitation Wave
First: 18.03.2026 23:15 Last: 18.03.2026 23:15 Sources 1

About this happening: **DarkSword** is an **active iPhone exploitation wave** targeting **iOS 18.4 through iOS 18.7**, with **Apple** expanding **iOS 18.7.7** and **iPadOS 18.7.7** to more older device...

Latest development: 02.04.2026 16:30

Apple broadened availability of iOS 18.7.7 and iPadOS 18.7.7 on April 1 to more devices still running iOS 18, including iPhone XR through iPhone 16 models, iPhone SE (2nd and 3rd generation), and multiple iPad models, so they can receive security patches against DarkSword web-based watering hole attacks that can deploy malware after a user visits a compromised website. Apple also began sending lock screen notifications to users running older software, urging installation of the latest security updates.

Open Happening

Rising zero-day exploitation across end-user and enterprise products in 2025

Target Trend
First: 05.03.2026 17:03 Last: 05.03.2026 17:03 Sources 1

About this happening: **Zero-day exploitation** stayed elevated in **2025**, with **90 actively exploited flaws** spread across **end-user platforms** and **enterprise products**. That matters because...

Open Happening

Coruna iOS exploit kit used for crypto-theft payloads

Malware Activity
First: 04.03.2026 21:06 Last: 04.03.2026 21:06 Sources 1

About this happening: The **Coruna** exploit kit is being used in active attacks, giving operators **23 iOS exploits** and five exploit chains that reach **iOS 13.0 through 17.2.1**. The kit can delive...

Open Happening

Timeline

  1. 07.11.2025 20:24 1 articles · 6mo ago

    QNAP patches Pwn2Own Ireland 2025 zero-days

    Mitigation Patch Update

    QNAP fixed seven zero-day vulnerabilities in QTS and QuTS hero (CVE-2025-62847, CVE-2025-62848, CVE-2025-62849), Hyper Data Protector (CVE-2025-59389), Malware Remover (CVE-2025-11837), and HBS 3 Hybrid Backup Sync (CVE-2025-62840, CVE-2025-62842) after researchers from Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern exploited them during Pwn2Own Ireland 2025 against QNAP NAS devices; QNAP recommends updating to the latest versions and changing all passwords.

    Show sources
    Open in new tab
  2. 21.10.2025 20:06 3 articles · 7mo ago

    Day one zero-day exploit demonstrations

    Exploitation Observed

    Security researchers exploited 34 unique zero-days and collected $522,500 in cash awards on the first day of Pwn2Own Ireland 2025 in Cork, Ireland. Team DDOS chained eight zero-day flaws to hack a QNAP Qhora-322 Ethernet wireless router via the WAN interface and pivot to a QNAP TS-453E NAS device, while Synacktiv Team, the Summoning Team, the DEVCORE Team, Rapid7, STARLabs, Team PetoWorks, Team ANHTUD, and Ierae also gained root or compromised devices including the Synology BeeStation Plus, Synology DiskStation DS925+, Home Assistant Green, Canon imageCLASS MF654Cdw multifunction laser printer, Sonos Era 300 smart speaker, Phillips Hue Bridge, and Synology ActiveProtect Appliance DP320.

    Show sources
    Open in new tab
  3. 21.10.2025 20:06 1 articles · 7mo ago

    Pwn2Own Ireland 2025 contest and disclosure framework

    Initial Disclosure

    Pwn2Own Ireland 2025 takes place from October 21 to October 24 in Cork, Ireland, with Meta, QNAP, and Synology co-sponsoring the contest. The program targets flagship smartphones such as Apple iPhone 16, Samsung Galaxy S25, and Google Pixel 9, as well as messaging apps, smart home devices, printers, home networking equipment, network storage systems, surveillance equipment, and wearable technology, and ZDI says vendors receive 90 days to release security updates before public disclosure. ZDI also expanded the mobile category to include USB port exploitation against locked handsets, while traditional wireless vectors such as Bluetooth, Wi-Fi, and near-field communication (NFC) remain valid, and a $1 million reward is available for a zero-click WhatsApp exploit that allows code execution without user interaction.

    Show sources
    Open in new tab