QNAP Patches Four Vulnerabilities Exploited at Pwn2Own

Summary

QNAP released patches for four vulnerabilities (CVE-2025-62843 to CVE-2025-62846) in its SD-WAN QuRouter products that were demonstrated and exploited at Pwn2Own Ireland 2025 by Team DDOS, who chained eight bugs to gain root access. The flaws range from requiring physical access to enabling code execution with admin privileges. QNAP also addressed additional critical issues in QuNetSwitch, QVR Pro, and other products, with no current evidence of wild exploitation.

Full text

QNAP on Friday announced patches for multiple vulnerabilities across its products, including four issues that were demonstrated at the Pwn2Own Ireland hacking contest in October 2025. The four security defects, tracked as CVE-2025-62843 to CVE-2025-62846, impact the company’s SD-WAN routers and were addressed in QuRouter version 2.6.3.009. According to QNAP’s advisory, the first bug requires physical access to a vulnerable device to gain specific privileges, while the second flaw could be exploited over the local network to obtain sensitive information. The last two weaknesses can be exploited by attackers with administrative privileges to cause unexpected device behavior or execute unauthorized code or commands. The vendor notes that all four vulnerabilities were exploited at Pwn2Own 2025 by Team DDOS. On the first day of the hacking contest, the team chained eight bugs in QNAP routers and NAS devices to obtain root privileges. It received a $100,000 reward for the exploit. Less than three weeks after the competition, QNAP rolled out fixes for two of the demonstrated flaws, namely CVE-2025-62840 and CVE-2025-62842. It also resolved issues exploited at the contest by other teams.Advertisement. Scroll to continue reading. In addition to the Pwn2Own defects, QNAP on Friday rolled out patches for four vulnerabilities in QuNetSwitch that could lead to arbitrary code execution, unauthorized access via hardcoded credentials, and arbitrary command execution. The vendor assigned a critical severity tag to the advisory, urging users to update to QuNetSwitch versions 2.0.4.0415 and 2.0.5.0906 or later. Another critical issue QNAP warned about is a missing authentication in QVR Pro that could provide remote attackers with access to vulnerable systems. QVR Pro versions 2.7.4.1485 and later resolve the bug. Additionally, the company addressed medium-severity vulnerabilities in Media Streaming Add-on and QuFTP Service that could lead to crashes or data leaks. QNAP makes no mention of any of these vulnerabilities being exploited in the wild. Additional information can be found on the company’s security advisories page. Related: Oracle Releases Emergency Patch for Critical Identity Manager Vulnerability Related: Apple Debuts Background Security Improvements With Fresh WebKit Patches Related: Researcher Discovers 4th WhatsApp View Once Bypass; Meta Won’t Patch Related: Chrome 146 Update Patches Two Exploited Zero-Days Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Navia Data Breach Impacts 2.7 MillionThousands of Magento Sites Hit in Ongoing Defacement CampaignAllure Security Raises $17 Million for Online Brand ProtectionCritical Langflow Vulnerability Exploited Hours After Public DisclosureOasis Security Raises $120 Million for Agentic Access Management1stProtect Emerges From Stealth With $20 Million in FundingCritical ScreenConnect Vulnerability Exposes Machine KeysSecurity Firm Aura Discloses Data Breach Impacting 900,000 Records Latest News Tycoon 2FA Fully Operational Despite Law Enforcement TakedownOracle Releases Emergency Patch for Critical Identity Manager VulnerabilityCritical Quest KACE Vulnerability Potentially Exploited in AttacksIn Other News: New Android Safeguards, Operation Alice, UK Toughens Cyber Reporting3 Men Charged With Conspiring to Smuggle US Artificial Intelligence to ChinaEclypsium Raises $25 Million for Device Supply Chain SecurityUS Confirms Handala Link to Iran Government Amid Takedown of Hackers’ SitesCape Raises $100 Million for Protection Against Cellular Security Threats Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveBrian Harrell has been appointed Chief Security Officer at FirstEnergy.eSentire has named James C. Foster as Chief Executive Officer.Green Impact Exchange has appointed John Visneski as Chief Information Security Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2025-62843
• cve — CVE-2025-62844
• cve — CVE-2025-62845
• cve — CVE-2025-62846
• cve — CVE-2025-62840
• cve — CVE-2025-62842
• malware — Team DDOS