QNAP Releases Security Updates for QTS and QuTS Hero
When chained together, the vulnerabilities could allow for unauthenticated remote code execution and full device takeover
Summary
When chained together, the vulnerabilities could allow for unauthenticated remote code execution and full device takeover
Affected platforms
The following platforms are known to be affected:
Threat details
Proof-of-concept exploits available
Security researchers have demonstrated a proof-of-concept exploit that chains CVE-2025-62847, CVE-2025-62848, and CVE-2025-62849 together to achieve remote code execution and full device takeover of QTS and QuTS hero devices.
Network attached storage (NAS) devices and backup solutions are valuable targets for cyber criminals. The NHS England National CSOC assesses future exploitation as likely.
Introduction
QNAP has released security updates to address three critical vulnerabilities in QTS and QuTS Hero network attached storage (NAS) appliances.
When CVE-2025-62847, CVE-2025-62848, and CVE-2025-62849 are chained together, a remote unauthenticated attacker could execute arbitrary code and gain full control of an affected appliance.
Remediation advice
Affected organisations are strongly encouraged to review QNAP security advisory QSA-25-45 and update to the latest fixed version as soon as possible. The National CSOC also recommends ensuring NAS devices and other backup solutions are not accessible from the internet.
Definitive source of threat updates
CVE Vulnerabilities
Last edited: 10 November 2025 1:14 pm