Multiple Zero-Day Vulnerabilities in QNAP NAS Operating Systems and Backup Tools

• CVE-2025-62847: This issue affects the NAS operating systems .The vendor fixed it in the listed QTS / QuTS hero builds noted above. Because these OSes are the main system layer, an unpatched device could be exposed in ways that affect device operations or stored data.
• CVE-2025-62848: Also found in QTS and QuTS hero, this flaw is addressed by the same OS updates. Since it targets the core system, leaving it unpatched increases risk to services running on the device.
• CVE-2025-62849: A third OS-level flaw in QTS / QuTS hero grouped with the others and fixed in the stated builds. Because multiple OS flaws were demonstrated, ensure full OS updates.
• CVE-2025-11837: This flaw affects the Malware Remover tool and is fixed in the Malware Remover release listed above. Malware Remover is used to detect and clean threats; an unpatched flaw here could limit the tool’s effectiveness or be used as an attack path.
• CVE-2025-59389: This issue affects Hyper Data Protector, the backup/protection product, and is fixed in the version shown above.
• CVE-2025-62840: One of the HBS 3 Hybrid Backup Sync flaws. HBS is used for syncing and backup operations between devices and clouds.
• CVE-2025-62842: The second HBS 3 flaw addressed alongside the other HBS fix. Like the other HBS issue, it impacts the hybrid backup sync software and is removed in the version noted above.

RECOMMENDATION:

• We strongly recommend you upgrade to the following fixed versions:
• QTS: 5.2.7.3297 or later,
• QuTS hero: h5.2.7.3297 / h5.3.1.3292 or later,
• Malware Remover: 6.6.8.20251023 or later,
• Hyper Data Protector: 2.2.4.1 or later,
• HBS 3 Hybrid Backup Sync: 26.2.0.938 or later.

REFERENCES:

The following reports contain further technical details:

https://securityaffairs.com/184396/hacking/qnap-fixed-multiple-zero-days-in-its-software-demonstrated-at-pwn2own-2025.html