QNAP on Friday announced patches for multiple vulnerabilities across its products, including four issues that were demonstrated at the Pwn2Own Ireland hacking contest in October 2025.
The four security defects, tracked as CVE-2025-62843 to CVE-2025-62846, impact the company’s SD-WAN routers and were addressed in QuRouter version 2.6.3.009.
According to QNAP’s advisory, the first bug requires physical access to a vulnerable device to gain specific privileges, while the second flaw could be exploited over the local network to obtain sensitive information.
The last two weaknesses can be exploited by attackers with administrative privileges to cause unexpected device behavior or execute unauthorized code or commands.
The vendor notes that all four vulnerabilities were exploited at Pwn2Own 2025 by Team DDOS. On the first day of the hacking contest, the team chained eight bugs in QNAP routers and NAS devices to obtain root privileges. It received a $100,000 reward for the exploit.
Less than three weeks after the competition, QNAP rolled out fixes for two of the demonstrated flaws, namely CVE-2025-62840 and CVE-2025-62842. It also resolved issues exploited at the contest by other teams.
In addition to the Pwn2Own defects, QNAP on Friday rolled out patches for four vulnerabilities in QuNetSwitch that could lead to arbitrary code execution, unauthorized access via hardcoded credentials, and arbitrary command execution.
The vendor assigned a critical severity tag to the advisory, urging users to update to QuNetSwitch versions 2.0.4.0415 and 2.0.5.0906 or later.
Another critical issue QNAP warned about is a missing authentication in QVR Pro that could provide remote attackers with access to vulnerable systems. QVR Pro versions 2.7.4.1485 and later resolve the bug.
Additionally, the company addressed medium-severity vulnerabilities in Media Streaming Add-on and QuFTP Service that could lead to crashes or data leaks.
QNAP makes no mention of any of these vulnerabilities being exploited in the wild. Additional information can be found on the company’s security advisories page.
Related: Oracle Releases Emergency Patch for Critical Identity Manager Vulnerability
Related: Apple Debuts Background Security Improvements With Fresh WebKit Patches
Related: Researcher Discovers 4th WhatsApp View Once Bypass; Meta Won’t Patch
