QNAP Fixes Critical Flaws Exposed by Pwn2Own Contest Winners

Vaibhav March 23, 2026
QNAP-Fixes-Critical-Flaws-Exposed-by-Pwn2Own-Contest-Winners
Post Views: 80

Qnap Addresses Multiple Vulnerabilities Across Its Products

The Taiwanese company has released patches for four security defects discovered during the Pwn2Own Ireland hacking contest in October 2025. The vulnerabilities, designated as CVE-2025-62843 to CVE-2025-62846, affect QNap’s SD-WAN routers and were fixed in QuRouter version 2.6.3.009.

Vulnerability Details

  • CVE-2025-62843: An attacker can gain specific privileges by exploiting this issue through physical access to a vulnerable device.
  • CVE-2025-62844: An attacker can obtain sensitive information by exploiting this issue over the local network.
  • CVE-2025-62845: An attacker with administrative privileges can cause unexpected device behavior or execute unauthorized code or commands.
  • CVE-2025-62846: This vulnerability was successfully exploited by Team DDOS during the Pwn2Own contest and allowed them to execute unauthorized code or commands.
According to the QNAP advisory, the vendor has assigned a critical severity rating to the advisory and recommends that users update their QuNetSwitch software to versions 2.0.4.0415 and 2.0.5.0906 or later to mitigate the risks associated with these vulnerabilities.

Additional Security Updates

In addition to resolving the Pwn2Own-related issues, the patches also address several other vulnerabilities in QuNetSwitch, including:

  • A potential vulnerability that could lead to arbitrary code execution.
  • A hardcoded credential vulnerability that could grant unauthorized access.
  • A vulnerability that could allow arbitrary command execution.
According to the QNAP advisory, the vendor warns of a separate vulnerability in QVR Pro involving a missing authentication mechanism that could enable remote attackers to access vulnerable systems. Users are advised to upgrade to a more secure version to prevent exploitation.

Furthermore, QNAP has addressed medium-severity vulnerabilities in Media Streaming Add-on and QuFTP Service that could lead to crashes or data leaks. Although QNAP does not indicate that any of these vulnerabilities have been exploited in the wild, the patches are still essential to ensure the continued security and stability of affected systems.



About Author

Vaibhav

See author's posts

More Stories

Thousands-of-Servers-Remain-Vulnerable-to-Outdated-FTP-Services

Thousands of Servers Remain Vulnerable to Outdated FTP Services

Vaibhav April 17, 2026
Vijay-Film-Leak-Investigation-Uncovers-Key-Suspect-Freelance-Editor

Vijay Film Leak Investigation Uncovers Key Suspect – Freelance Editor

Vaibhav April 17, 2026
Cyber-Fraud-Scheme-Involves-Fake-Court-Orders-to-Target-Banks

Cyber Fraud Scheme Involves Fake Court Orders to Target Banks

Vaibhav April 17, 2026

Latest Cyber Security News

Thousands-of-Servers-Remain-Vulnerable-to-Outdated-FTP-Services

Thousands of Servers Remain Vulnerable to Outdated FTP Services

Vaibhav April 17, 2026
Nudification-Apps-Bypassing-Bans-A-Look-at-AI-Driven-NSFW-Content-on-App-Stores

Nudification Apps Bypassing Bans: A Look at AI-Driven NSFW Content on App Stores

Vaibhav April 17, 2026
Major-Cyber-Operation-Uncovers-2-200-Suspected-Malicious-Accounts-Under-Operation-Prahar

Major Cyber Operation Uncovers 2,200 Suspected Malicious Accounts Under ‘Operation Prahar

Vaibhav April 17, 2026
Vijay-Film-Leak-Investigation-Uncovers-Key-Suspect-Freelance-Editor

Vijay Film Leak Investigation Uncovers Key Suspect – Freelance Editor

Vaibhav April 17, 2026
windows-zero-day-vulnerabilities-exploited-in-real-world-attacks-latest-news

windows zero-day vulnerabilities exploited in real-world attacks, latest news

Vaibhav April 17, 2026
en_USEnglish
en_USEnglish