QNAP Critical Updates - 20251110001

Overview

QNAP have released updates addressing multiple zero-day vulnerabilities affecting their QNAP network-attached storage (NAS) devices.

What is vulnerable?

Product(s) and Version(s) Affected	CVE	CVSS	Severity
QTS 5.2.x prior to QTS 5.2.7.3297 build 20251024 QuTS hero h5.2.x prior to QuTS hero h5.2.7.3297 build 20251024 QuTS hero h5.3.x prior to QuTS hero h5.3.1.3292 build 20251024	CVE-2025-11837 CVE-2025-59389 CVE-2025-62840 CVE-2025-62842 CVE-2025-62847 CVE-2025-62848 CVE-2025-62849	TBD	TBD

What has been observed?

The WASOC has not received any reports of exploitation of this vulnerability on Western Australian Government networks at the time of writing.

Recommendation

The WASOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframes (refer Patch Management):

• QNAP: https://www.qnap.com/en/security-advisory/qsa-25-45

Additional References

• BleepingComputer: https://www.bleepingcomputer.com/news/security/qnap-fixes-seven-nas-zero-day-vulnerabilities-exploited-at-pwn2own/