Critical Remote Code Execution in QNAP TS‑453E (CVE‑2025‑11837) Endangers Enterprise NAS Deployments
What It Is – A zero‑day code‑injection flaw (CVE‑2025‑11837) in the malware_remover.cgi endpoint of QNAP’s TS‑453E network‑attached storage (NAS) devices allows an unauthenticated, network‑adjacent attacker to execute arbitrary Python code as root.
Exploitability – Demonstrated at the Pwn2Own competition; proof‑of‑concept publicly disclosed. CVSS 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) indicates a high‑severity, easily exploitable remote code execution.
Affected Products – QNAP TS‑453E NAS (firmware prior to the QSA‑25‑47 patch).
TPRM Impact – Organizations that rely on QNAP NAS for file sharing, backups, or as a storage tier for third‑party services face data confidentiality, integrity, and availability risks. A compromised NAS can become a foothold for lateral movement into partner networks, amplifying supply‑chain exposure.
Recommended Actions –
- Deploy QNAP’s security advisory QSA‑25‑47 patch immediately on all TS‑453E devices.
- Verify firmware versions via inventory and enforce a “patch‑first” policy for network‑attached storage.
- Segment NAS devices from untrusted network zones and restrict inbound traffic to required management ports only.
- Review system and access logs for any anomalous activity since the advisory release date.
- Update third‑party risk registers to flag QNAP TS‑453E as a high‑risk asset until fully remediated.