嗯,用户让我帮忙总结一下这篇文章的内容,控制在一百个字以内,而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写文章描述即可。 首先,我需要通读整篇文章,抓住主要信息。文章主要讲的是QNAP修复了四个在Pwn2Own Ireland 2025比赛中被展示的漏洞。这些漏洞可能导致代码执行、数据访问或系统中断。攻击者可能通过物理访问、网络暴露或提升权限来利用这些漏洞。 接下来,我需要将这些信息浓缩到一百个字以内。要注意包括QNAP修复了四个漏洞,这些漏洞是在比赛中被发现的,可能带来的风险,以及攻击者可能利用的途径。 然后,我要确保语言简洁明了,不使用复杂的术语。同时,避免使用用户要求的那些开头词。 最后,检查字数是否符合要求,并确保信息准确无误。 </think> QNAP修复了四个在Pwn2Own Ireland 2025中展示的漏洞,涉及SD-WAN路由器和相关设备。这些漏洞可能导致代码执行、数据泄露或系统中断。攻击者可能通过物理访问、弱认证机制或SQL注入等方式利用这些漏洞。 2026-3-23 20:49:23 Author: securityaffairs.com(查看原文) 阅读量:2 收藏
QNAP fixed four vulnerabilities demonstrated at Pwn2Own Ireland 2025
QNAP fixed four vulnerabilities shown at Pwn2Own 2025 that could enable code execution, data access, or system disruption.
Taiwanese vendor QNAP has addressed multiple vulnerabilities, including four SD-WAN router issues (CVE-2025-62843 to CVE-2025-62846) demonstrated at the Pwn2Own Ireland 2025 by Team DDOS. The team chained multiple bugs in QNAP devices to gain root access and earned a $100,000 reward.
The flaws could allow attackers to access sensitive data, execute code, or disrupt system operations if left unpatched.
The manufacturer addressed the four vulnerabilities in QuRouter version 2.6.3.009.
The vulnerabilities identified in QHora devices highlight how different levels of access can translate into significant security risks for an organization’s infrastructure. Below are the descriptions of the flaws:
CVE-2025-62843 involves an issue with communication channel restrictions. If an attacker gains physical access to the device, they can exploit this flaw to obtain privileges intended for other endpoints, effectively bypassing existing controls.
CVE-2025-62844 affects the local network level. In this case, an attacker with LAN access can take advantage of weak authentication mechanisms to retrieve sensitive information, exposing data that should remain protected.
More critical is CVE-2025-62846, which comes into play when an attacker gains administrative credentials. By exploiting an SQL injection vulnerability, they can execute unauthorized commands, compromising the integrity and control of the system.
Finally, CVE-2025-62845 relates to improper handling of escape and control sequences. An attacker with elevated privileges can trigger unexpected system behavior, potentially impacting stability and security.
Overall, these vulnerabilities show how a combination of physical access, network exposure, and elevated privileges can amplify risk, making timely patching and strong security practices essential.
In November 2025, the Taiwanese vendor patched seven zero-day vulnerabilities exploited at Pwn2Own Ireland 2025. The flaws affected QTS, QuTS hero, Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync.
The vulnerabilities addressed by the company were:
- CVE-2025-62847 – CVE-2025-62848 – CVE-2025-62849 in QNAP’s QTS and QuTS hero operating systems;
- CVE-2025-11837 in Malware Remover;
- CVE-2025-59389 in Hyper Data Protector;
- CVE-2025-62840 – CVE-2025-62842 in HBS 3 Hybrid Backup Sync software.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, QNAP)
如有侵权请联系:admin#unsafe.sh