ACCORDING to QNAP's QSA-26-12 advisory, four SD-WAN router flaws (CVE-2025-62843 to CVE-2025-62846) were demonstrated at Pwn2Own Ireland 2025 by Team DDOS and fixed by the vendor, with the researchers earning a $100,000 reward for chaining multiple bugs to gain root access. The flaws could allow attackers to access sensitive data, execute code, or disrupt system operations if left unpatched, and QNAP addressed these in QuRouter version 2.6.3.009.
The article also notes that in November 2025 QNAP patched seven zero-day vulnerabilities exploited at Pwn2Own Ireland 2025 affecting QTS, QuTS hero, Hyper Data Protector, Malware Remover and HBS 3 Hybrid Backup Sync, with CVEs including CVE-2025-62847–62849, CVE-2025-11837, CVE-2025-59389 and CVE-2025-62840–62842. Detailed descriptions cover how misconfigurations and elevated access can translate into significant security risks for an organisation’s infrastructure.
The described CVEs include an issue with communication channel restrictions, weak authentication on the local network, an SQL injection when credentials are present, and improper handling of escape sequences. Overall, the article underscores the importance of timely patching and strong security practices to mitigate risk.