Four Critical QNAP SD‑WAN Router Vulnerabilities (CVE‑2025‑62843‑62846) Demonstrated at Pwn2Own Ireland 2025, Now Patched
What It Is – QNAP disclosed four zero‑day flaws in its QuRouter SD‑WAN appliance that were publicly exploited by the Team DDOS researchers during Pwn2Own Ireland 2025. The bugs span privilege‑escalation, weak authentication, SQL‑injection and improper escape handling, allowing an attacker to gain root, read sensitive data or destabilise the device.
Exploitability – The vulnerabilities were fully chained in a live demonstration, confirming practical exploitability. No public malware is known, but the proof‑of‑concept exists. CVSS scores have not been published; the combination of remote code execution and data exposure warrants a Critical rating.
Affected Products – QNAP QuRouter firmware 2.6.3.009 (SD‑WAN routers) and associated QHora devices.
TPRM Impact – Organizations that rely on QNAP networking gear for branch connectivity, IoT gateways or backup transport face supply‑chain risk: an unpatched router can become a foothold for lateral movement, data exfiltration or service outage across the enterprise network.
Recommended Actions –
- Verify firmware version on every QNAP SD‑WAN device; upgrade immediately to 2.6.3.009 or later.
- Conduct an inventory of all QNAP hardware (routers, QHora, QTS/QuTS‑hero nodes) used by third‑party vendors.
- Segment SD‑WAN routers on dedicated VLANs and enforce strict firewall rules limiting inbound management traffic.
- Monitor logs for unusual authentication attempts, SQL‑injection patterns or unexpected system reboots.
- Review contracts with QNAP‑managed services to ensure they include timely patch‑management clauses.
Source: SecurityAffairs – QNAP fixed four vulnerabilities demonstrated at Pwn2Own Ireland 2025