QNAP Patches Seven Zero-Day Vulnerabilities Exploited at Pwn2Own Ireland 2025
Summary
Hide ▲
Show ▼
QNAP has addressed seven zero-day vulnerabilities in its QTS, QuTS hero operating systems, and various applications, which were demonstrated at the Pwn2Own Ireland 2025 competition. The flaws were exploited by multiple security research teams, including the Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern. The vulnerabilities impacted QNAP's Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync software. Additionally, Synology has fixed a critical-severity remote code execution (RCE) vulnerability in BeeStation products, also demonstrated at Pwn2Own Ireland 2025. QNAP and Synology recommend updating software to the latest versions and changing all passwords for enhanced security.
Timeline
-
07.11.2025 20:24 2 articles · 5d ago
QNAP Releases Patches for Seven Zero-Day Vulnerabilities Exploited at Pwn2Own Ireland 2025
QNAP has fixed seven zero-day vulnerabilities in its QTS, QuTS hero operating systems, and various applications, which were demonstrated at the Pwn2Own Ireland 2025 competition. The vulnerabilities were exploited by multiple security research teams, and QNAP has released patches for all affected software versions. Users are advised to update their software to the latest versions and change all passwords. Additionally, Synology has addressed a critical-severity RCE vulnerability in BeeStation products, also demonstrated at Pwn2Own Ireland 2025.
Show sources
- QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own — www.bleepingcomputer.com — 07.11.2025 20:24
- Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland — www.bleepingcomputer.com — 12.11.2025 00:34
Information Snippets
-
The vulnerabilities were demonstrated at Pwn2Own Ireland 2025 by multiple security research teams.
First reported: 07.11.2025 20:241 source, 1 articleShow sources
- QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own — www.bleepingcomputer.com — 07.11.2025 20:24
-
The flaws impact QNAP's QTS and QuTS hero operating systems, Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync software.
First reported: 07.11.2025 20:241 source, 2 articlesShow sources
- QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own — www.bleepingcomputer.com — 07.11.2025 20:24
- Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland — www.bleepingcomputer.com — 12.11.2025 00:34
-
QNAP has released patches for all affected software versions.
First reported: 07.11.2025 20:241 source, 2 articlesShow sources
- QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own — www.bleepingcomputer.com — 07.11.2025 20:24
- Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland — www.bleepingcomputer.com — 12.11.2025 00:34
-
Users are advised to update their software to the latest versions and change all passwords.
First reported: 07.11.2025 20:241 source, 2 articlesShow sources
- QNAP fixes seven NAS zero-day flaws exploited at Pwn2Own — www.bleepingcomputer.com — 07.11.2025 20:24
- Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland — www.bleepingcomputer.com — 12.11.2025 00:34
-
Synology has addressed a critical-severity remote code execution (RCE) vulnerability in BeeStation products, demonstrated at Pwn2Own Ireland 2025.
First reported: 12.11.2025 00:341 source, 1 articleShow sources
- Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland — www.bleepingcomputer.com — 12.11.2025 00:34
-
The vulnerability (CVE-2025-12686) is described as a 'buffer copy without checking the size of input' problem.
First reported: 12.11.2025 00:341 source, 1 articleShow sources
- Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland — www.bleepingcomputer.com — 12.11.2025 00:34
-
The flaw impacts multiple versions of BeeStation OS, the software powering Synology’s network-attached storage (NAS) devices.
First reported: 12.11.2025 00:341 source, 1 articleShow sources
- Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland — www.bleepingcomputer.com — 12.11.2025 00:34
-
Researchers Tek and anyfun at Synacktiv exploited the flaw during Pwn2Own Ireland 2025 and received a $40,000 reward.
First reported: 12.11.2025 00:341 source, 1 articleShow sources
- Synology fixes BeeStation zero-days demoed at Pwn2Own Ireland — www.bleepingcomputer.com — 12.11.2025 00:34
Similar Happenings
73 Zero-day Vulnerabilities Exploited in Pwn2Own Ireland 2025
The Pwn2Own Ireland 2025 hacking competition concluded with security researchers collecting $1,024,750 in cash awards after exploiting 73 zero-day vulnerabilities. The event, held in Cork, Ireland, targeted vulnerabilities in various devices, including smartphones, messaging apps, smart home devices, printers, and more. The Zero Day Initiative (ZDI) operates the event to identify security flaws before threat actors can exploit them. Summoning Team won the competition with 22 Master of Pwn points and $187,500 earned throughout the three-day event. Team ANHTUD secured the second position with $76,750 and 11.5 Master of Pwn points, while Team Synactiv took third place with $90,000 in prizes and 11 Master of Pwn points. The event featured eight categories, including new attack vectors for mobile devices, and offered a $1 million reward for a zero-click WhatsApp exploit. On the first day, researchers demoed 34 unique zero-days and collected $522,500 in cash awards. Team DDOS chained eight zero-day flaws to hack a QNAP Qhora-322 Ethernet wireless router and gain access to a QNAP TS-453E NAS device, earning $100,000. On the second day, researchers exploited 56 unique zero-day vulnerabilities and collected $792,750 in cash awards. Ken Gannon and Dimitrios Valsamaras hacked the Samsung Galaxy S25, earning $50,000 and 5 Master of Pwn points. On the third day, the Samsung Galaxy S25 was hacked by Interrupt Labs via an improper input validation bug, earning 5 Master of Pwn points and $50,000.