QNAP released patches for multiple vulnerabilities across its products, including four SD‑WAN router bugs demonstrated at Pwn2Own Ireland 2025 (CVE-2025-62843 to CVE-2025-62846). The vendor also issued fixes for QuNetSwitch and QVR Pro defects, urged updates to patched versions, and noted the Pwn2Own exploits were performed by Team DDOS but not observed in the wild. #QNAP #QuRouter
Keypoints
- QNAP released updates addressing multiple vulnerabilities across routers, switch software, QVR Pro, and add-ons.
- Four SD‑WAN router flaws (CVE-2025-62843–62846) demonstrated at Pwn2Own 2025 were fixed in QuRouter v2.6.3.009.
- One router bug requires physical access, another can be exploited over the local network to leak sensitive data, and two allow admin-privileged attackers to cause crashes or execute code.
- Team DDOS chained multiple bugs at Pwn2Own to gain root and earned $100,000; QNAP had previously patched two contest-demonstrated flaws within weeks.
- Critical fixes for QuNetSwitch (arbitrary code, hardcoded credentials) and a missing-auth issue in QVR Pro were released; medium-severity issues in Media Streaming Add-on and QuFTP were also addressed—users should update to the vendor-recommended versions.
Read More: https://www.securityweek.com/qnap-patches-four-vulnerabilities-exploited-at-pwn2own/