Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN777
_____________________________________________________________________

DATE                : 10/11/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running QTS, QuTS hero versions prior
                             to 5.2.7.3297 build 20251024.

=====================================================================
https://www.qnap.com/en/security-advisory/qsa-25-45
_____________________________________________________________________


Security ID : QSA-25-45
Multiple Vulnerabilities in QTS and QuTS hero (PWN2OWN 2025)

    Release date : November 8, 2025

    CVE identifier : CVE-2025-62847 | CVE-2025-62848 | CVE-2025-62849
| ZDI-CAN-28353 | ZDI-CAN-28435 | ZDI-CAN-28436

    Affected products: QTS 5.2.x, QuTS hero h5.2.x, QuTS hero h5.3.x

Severity
Critical

Status
Resolved


Summary

Multiple vulnerabilities have been reported to affect certain QNAP
operating system versions. We have already fixed the vulnerabilities
in the following versions:


Affected Product 	Fixed Version
QTS 5.2.x 	QTS 5.2.7.3297 build 20251024 and later
QuTS hero h5.2.x 	QuTS hero h5.2.7.3297 build 20251024 and later
QuTS hero h5.3.x 	QuTS hero h5.3.1.3292 build 20251024 and later


Recommendation

To secure your device, we recommend regularly updating your system
to the latest version to benefit from vulnerability fixes. You can
check the product support status to see the latest updates
available to your NAS model.

Updating QTS or QuTS hero

    Log in to QTS or QuTS hero as an administrator.
    Go to Control Panel > System > Firmware Update.
    Under Live Update, click Check for Update.
    The system downloads and installs the latest available update.

Tip: You can also download the update from the QNAP website. Go to
Support > Download Center and then perform a manual update for your
specific device.

  
Acknowledgements: Pwn2Own 2025 - DEVCORE

Revision History:
V1.0 (November 8, 2025) - Published



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================