QNAP has issued patches for four vulnerabilities across its products that were demonstrated at Pwn2Own Ireland 2025. The flaws, tracked as CVE-2025-62843 to CVE-2025-62846, affect the company’s SD-WAN routers and were fixed in QuRouter version 2.6.3.009.
According to QNAP’s advisory, the first bug requires physical access to a vulnerable device to gain privileges, the second could be exploited over the local network to access sensitive information, and the last two weaknesses can be exploited by attackers with administrative privileges to cause unexpected device behaviour or execute unauthorized code.
The vendor notes that all four vulnerabilities were exploited at Pwn2Own 2025 by Team DDOS, which chained eight bugs on the first day to obtain root privileges and earned a $100,000 reward. Less than three weeks later, fixes were rolled out for two of the demonstrated flaws, CVE-2025-62840 and CVE-2025-62842, alongside patches for issues exploited by other teams.
In addition, QNAP patched four vulnerabilities in QuNetSwitch, with critical advisories urging updates to versions 2.0.4.0415 and 2.0.5.0906 or later, and a separate critical issue in QVR Pro, with versions 2.7.4.1485 and later addressing it; medium-severity flaws were also fixed in Media Streaming Add-on and QuFTP Service.