Pwn2Own Ireland 2025. NAS and related wins explained

Pwn2Own Ireland 2025 delivered another intense set of device breakouts, including multiple successful attacks against Synology and QNAP kit. Below I have taken the contest results and turned them into a NASCompares style update, with a short summary for each exploit, an engineer friendly plain English explanation of how the bugs worked, the immediate impact, and practical mitigations you can apply today.

Quick summary

Pwn2Own awarded multiple unique root level exploits against Synology and QNAP devices. BeeStation Plus and the QNAP TS-453E were among the highest profile targets, with successful chains that gave researchers full system control. Several collisions occurred, showing the same vulnerable code paths remained exploitable across firmware versions. The practical lesson for home and small business users is the same, block management interfaces from the internet, enforce MFA, isolate management traffic, and apply vendor fixes immediately.

Exploit breakdown

P2OI-2025-01 — BeeStation Plus

Summary. Stack overflow in a web or file service allowed malformed input to trigger remote code execution as root.

Source. ZDI Pwn2Own Ireland 2025. Tek_7987 and @_Anyfun, Synacktiv.

Max CVSS estimate. 9.8.

EPSS estimate. 0.60%.

Published / Updated. 2025-10-23.

What happened, plain. The researchers sent specially crafted data that overflowed a stack buffer. That overflow allowed execution of attacker supplied code at kernel or process level, which the team turned into a root shell on the NAS. Once at root, they could read files, remove backups, or use the NAS to pivot into other systems on the network.

Why it mattered. Root on a backup or file server is catastrophic. Backups, photos, business data, and credentials are all exposed.

Immediate mitigations. Do not expose NAS web or file services to the internet. Require VPN to reach admin consoles. Use strong passwords and multi factor authentication for admin accounts. Put NAS devices on a management VLAN with restricted routes. Disable services you do not use. Send logs to a collector and watch for new users or unexpected processes.

P2OI-2025-02 — Synology DS925+, chained bugs

Summary. Authentication bypass plus command execution via DSM web or API resulted in root shell and full control.

Source. ZDI Pwn2Own Ireland 2025, unnamed team.

Max CVSS estimate. 9.8.

EPSS estimate. 0.45%.

Published / Updated. 2025-10-23.

What happened, plain. The exploit combined two separate weaknesses. The first allowed the attacker to bypass authentication and reach an internal service, the second allowed execution of system commands. Chaining them produced a root shell.

Why it mattered. Full system compromise, with access to files, backups, and the ability to install persistent backdoors.

Immediate mitigations. Block DSM and admin ports at the perimeter, require VPN for remote admin, enforce MFA on all admin accounts, uninstall or disable community packages that expose web endpoints, monitor login and sudo activity.

P2OI-2025-03 — Synology DS925+, repeat chained bugs

Summary. Another chained authentication bypass and privilege escalation on DS925+, reached uid 0 and allowed file access and pivoting.

Source. ZDI Pwn2Own Ireland 2025, unnamed team.

Max CVSS estimate. 9.8.

EPSS estimate. 0.45%.

Published / Updated. 2025-10-23.

What happened, plain. Same pattern as P2OI-2025-02, showing multiple independent chains could achieve the same outcome, and demonstrating attack repeatability.

Why it mattered. Repeated successful exploitation is a strong indicator of systemic access control weaknesses.

Immediate mitigations. VPN only access for DSM, MFA for all admin accounts, remove unused admin accounts and packages, continuous monitoring for new sessions and privilege changes.

P2OI-2025-04 — Synology ActiveProtect DP320

Summary. Web management chain allowed command execution with system privileges, full takeover of backup appliance.

Source. ZDI Pwn2Own Ireland 2025, backup appliance category.

Max CVSS estimate. 9.0.

EPSS estimate. 0.30%.

Published / Updated. 2025-10-23.

What happened, plain. Attackers used two bugs to bypass controls and then execute system commands, which gave them root on an appliance responsible for backups and monitoring.

Why it mattered. A compromised backup appliance endangers your ability to recover from ransomware and undermines trust in your backups.

Immediate mitigations. Isolate backup appliances on a management VLAN with no direct internet access. Use VPN for administration, enforce unique strong admin passwords and MFA, and monitor logs for unusual access.

P2OI-2025-05 — Camera CC400W / TC500 firmware bug

Summary. Out of bounds read spawned a shell, researchers obtained interactive access and escalated or used accounts to run commands.

Source. ZDI Pwn2Own Ireland 2025, camera category demo.

Max CVSS estimate. 7.8.

EPSS estimate. 0.20%.

Published / Updated. 2025-10-23.

What happened, plain. A firmware bug allowed execution of a shell process, which the researchers used to access files and execute commands on the camera.

Why it mattered. Cameras often have network access and default credentials, making them useful pivot points into the LAN and the NAS.

Immediate mitigations. Put cameras on a separate VLAN that cannot talk to NAS or management networks. Block camera management ports at the perimeter, require VPN for remote admin. Change default passwords, disable telnet and unused services, and forward camera logs to a central collector. If a vendor patch is not available, isolate or replace the device.

P2OI-2025-06 — Qhora-322 router then QNAP TS-453E pivot chain

Summary. Router admin or UPnP compromise used to reach NAS, then web or API flaws exploited to obtain root on the TS-453E.

Source. ZDI Pwn2Own Ireland 2025, multi device pivot demo.

Max CVSS estimate. 9.5.

EPSS estimate. 0.50%.

Published / Updated. 2025-10-23.

What happened, plain. The researchers first compromised the router using remote admin or UPnP features, then used that foothold to attack the NAS. This is a classic pivot operation.

Why it mattered. When a router is compromised, all devices behind it become exposed. Attackers use this route to reach otherwise protected services.

Immediate mitigations. Disable remote admin on home routers and UPnP, put router, IoT and NAS on separate VLANs, require VPN to reach any management UI, apply firmware updates immediately, remove unused apps on the NAS, enable WAF or reverse proxy for exposed web UIs, and monitor traffic from router to NAS for anomalies.

P2OI-2025-07 — QNAP TS-453E PHP web shell upload via injection and format string bug

Summary. Injection and a format string weakness allowed upload of shell.php, giving a remote command shell as admin.

Source. ZDI Pwn2Own Ireland 2025, reported evidence.

Max CVSS estimate. 9.2.

EPSS estimate. 0.40%.

Published / Updated. 2025-10-23.

What happened, plain. Poor input handling and a formatting bug allowed a file upload or creation which acted as a web shell. Researchers then used that shell to execute arbitrary commands.

Why it mattered. Web shells are a reliable way to maintain persistence and to exfiltrate or destroy data.

Immediate mitigations. Block NAS web ports from the internet, require VPN for admin, disable third party or unused web apps, put a reverse proxy or WAF in front of web UIs, and scan web directories for unexpected script files.

P2OI-2025-08 — QNAP TS-453E CGI command injection

Summary. Crafted input passed direct to a shell by a vulnerable CGI endpoint, allowing command execution as admin.

Source. ZDI Pwn2Own Ireland 2025, reported evidence.

Max CVSS estimate. 9.0.

EPSS estimate. 0.35%.

Published / Updated. 2025-10-23.

What happened, plain. A CGI handler failed to properly sanitize inputs and forwarded them to a shell command. The researchers injected commands which the server executed.

Why it mattered. CGI based command injection is a simple but effective method to gain admin level control when web interfaces are trust boundary failures.

Immediate mitigations. Do not expose NAS web interfaces to WAN, use VPN only for admin, disable CGI or legacy web modules, use a WAF or reverse proxy to filter suspicious parameters, and review web directories for changes.

P2OI-2025-09 — QNAP TS-453E known-bug reuse collision

Summary. A previously demonstrated flaw remained exploitable, permitting admin or root access again.

Source. ZDI Pwn2Own Ireland 2025, collision entries.

Max CVSS estimate. 7.6.

EPSS estimate. 0.25%.

Published / Updated. 2025-10-23.

What happened, plain. The same vulnerable code path was present in multiple places or firmware versions, so attackers reused the same exploit to gain control again.

Why it mattered. Collisions show failed patching or code reuse, which means vendors must track and patch all occurrences of a vulnerable function.

Immediate mitigations. Apply vendor patches immediately when available. Block web management ports until patches are confirmed. Run regular vulnerability scans and disable affected services until repaired.

P2OI-2025-10 — QNAP TS-453E hard-coded credential plus injection

Summary. Built-in secret credential allowed authentication, followed by input injection to execute commands and reach a root shell.

Source. ZDI Pwn2Own Ireland 2025, Sina Kheirkhah, Summoning Team.

Max CVSS estimate. 9.0.

EPSS estimate. 0.50%.

Published / Updated. 2025-10-23.

What happened, plain. The device had a baked-in credential which authenticated the attacker without interactive validation. The authenticated session was then used to pass unfiltered input that became command execution on the host.

Why it mattered. Hard-coded credentials are catastrophic because they let attackers bypass authentication entirely on unpatched devices.

Immediate mitigations. Remove or neutralize hard-coded credentials at manufacture. For existing devices, force password changes on first boot, rotate service accounts, enforce MFA, isolate management networks, and replace or isolate devices with baked-in secrets until the vendor issues a fix.

What you should do right now

1. Block all NAS management ports at your firewall unless you absolutely need them.

2. Require VPN to access any admin UI.

3. Enable multi factor authentication on every admin account.

4. Put NAS and cameras on separate VLANs that have no route to your core business networks.

5. Apply vendor firmware and security updates immediately.

6. Disable unused services and community packages that expose web endpoints.

7. Scan web directories for unexpected script files and web shells.

8. Forward logs to a collector and monitor for new admin accounts, unusual sudo calls, and router to NAS pivot attempts.

Final thoughts

Pwn2Own demonstrates research level capabilities and shows where vendors must harden code and release fixes. For home users and small businesses the correct defensive posture is straightforward and actionable. Treat your NAS like a server, lock down management, use MFA, isolate it from other critical kit, and patch quickly. The result is you reduce the attack surface and make these high value research exploits much harder to weaponize in the wild.

Where to Buy a Product
			VISIT RETAILER ➤
			VISIT RETAILER ➤
			VISIT RETAILER ➤
			VISIT RETAILER ➤

☕ WE LOVE COFFEE ☕

Or support us by using our affiliate links on Amazon UK and Amazon US