HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Critical Remote Code Execution in QNAP TS-453E (CVE-2025-11837) Endangers Enterprise NAS Deployments

A zero‑day vulnerability (CVE‑2025‑11837) in QNAP’s TS‑453E network‑attached storage allows unauthenticated attackers to execute arbitrary code as root via the malware_remover.cgi endpoint. The flaw, demonstrated at Pwn2Own, carries a CVSS score of 8.8 and can compromise data integrity and availability for organizations relying on QNAP devices. Prompt patching is essential for third‑party risk mitigation.

LiveThreat™ Intelligence · 📅 March 17, 2026· 📰 zerodayinitiative.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
zerodayinitiative.com

Critical Remote Code Execution in QNAP TS‑453E (CVE‑2025‑11837) Endangers Enterprise NAS Deployments

What It Is – A zero‑day code‑injection flaw (CVE‑2025‑11837) in the malware_remover.cgi endpoint of QNAP’s TS‑453E network‑attached storage (NAS) devices allows an unauthenticated, network‑adjacent attacker to execute arbitrary Python code as root.

Exploitability – Demonstrated at the Pwn2Own competition; proof‑of‑concept publicly disclosed. CVSS 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates a high‑severity, easily exploitable remote code execution.

Affected Products – QNAP TS‑453E NAS (firmware prior to the QSA‑25‑47 patch).

TPRM Impact – Organizations that rely on QNAP NAS for file sharing, backups, or as a storage tier for third‑party services face data confidentiality, integrity, and availability risks. A compromised NAS can become a foothold for lateral movement into partner networks, amplifying supply‑chain exposure.

Recommended Actions

  • Deploy QNAP’s security advisory QSA‑25‑47 patch immediately on all TS‑453E devices.
  • Verify firmware versions via inventory and enforce a “patch‑first” policy for network‑attached storage.
  • Segment NAS devices from untrusted network zones and restrict inbound traffic to required management ports only.
  • Review system and access logs for any anomalous activity since the advisory release date.
  • Update third‑party risk registers to flag QNAP TS‑453E as a high‑risk asset until fully remediated.

Source: Zero Day Initiative Advisory ZDI‑26‑198

📰 Original Source
http://www.zerodayinitiative.com/advisories/ZDI-26-198/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →