All news with #qnap tag

QNAP Fixes Seven NAS Zero-Day Flaws From Pwn2Own Competition

🔒 QNAP has released patches for seven zero-day vulnerabilities that were exploited to hack NAS devices during the Pwn2Own Ireland 2025 contest. The flaws affect QTS/QuTS hero and several bundled apps, including Hyper Data Protector, Malware Remover, and HBS 3, and are tracked under multiple CVEs. Fixed firmware and app builds are available and administrators are advised to update via Control Panel > System > Firmware Update and the App Center, then change all passwords. Regularly checking product support status and applying updates promptly are recommended to maintain security.

QNAP: NetBak PC Backup Affected by Critical ASP.NET Flaw

🔔 QNAP has warned that its NetBak PC Agent, a Windows backup utility, may include an affected ASP.NET Core runtime vulnerable to CVE-2025-55315. The flaw resides in the Kestrel ASP.NET Core web server and can allow low-privileged attackers to hijack other users' credentials or bypass front-end security via HTTP request smuggling. QNAP recommends reinstalling the app or manually installing the latest ASP.NET Core Runtime (Hosting Bundle) from the .NET 8.0 downloads to secure systems.

Samsung Galaxy S25 Exploited on Day Two of Pwn2Own

🔓 Security researchers earned $792,750 on day two of Pwn2Own Ireland 2025, exploiting 56 unique zero-day vulnerabilities across smartphones, NAS devices, printers, cameras and smart-home gear. A five-bug chain used by Ken Gannon and Dimitrios Valsamaras successfully compromised the Samsung Galaxy S25, earning $50,000 and 5 Master of Pwn points. Several teams also exploited issues in QNAP and Synology NAS models, printers and IoT devices, and vendors now have 90 days to patch before public disclosure.

Researchers Exploit 34 Zero-Days at Pwn2Own Ireland

🔒On the first day of Pwn2Own Ireland 2025, security researchers exploited 34 unique zero-day vulnerabilities and collected $522,500 in cash awards. Team DDOS (Bongeun Koo and Evangelos Daravigkas) chained eight flaws to compromise a QNAP Qhora-322 router via its WAN interface and access a QNAP TS-453E, earning $100,000 and moving into second place on the Master of Pwn leaderboard. The Summoning Team led day one with $102,500 and 11.5 points after multiple successful root exploits. The Zero Day Initiative (ZDI) organized the event and coordinates 90-day responsible disclosure with affected vendors.

PolarEdge Botnet Targets Cisco, ASUS, QNAP Routers

🔐 Cybersecurity researchers have detailed PolarEdge, a TLS-based ELF implant used to conscript Cisco, ASUS, QNAP and Synology routers into a botnet. The backdoor implements an mbedTLS v2.8.0 server with a custom binary protocol, supports a connect-back and interactive debug mode, and stores its obfuscated configuration in the final 512 bytes of the ELF. Operators use anti-analysis techniques, process masquerading and file-moving/deletion routines; a forked watchdog can relaunch the payload if the parent process disappears.