Pwn2Own Ireland 2025: Synology and QNAP Devices Hacked for Over $335,000

Last updated on 23 Oct 2025 📧 Subscribe
The Pwn2Own Ireland 2025 competition has concluded, and the results have sent a strong signal to the network-attached storage (NAS) market. Security researchers successfully exploited multiple Synology and QNAP devices, earning a combined total of over $335,000 in prize money. This event highlights the critical importance of keeping devices up to date with the latest security patches, as even the most secure devices are not immune to sophisticated attacks.
Pwn2Own is a premier hacking competition where researchers are challenged to find and exploit previously unknown vulnerabilities in popular hardware and software. Vendors often participate by providing their devices as targets, and a successful exploit results in a prize payout and a private disclosure of the vulnerabilities, allowing the vendor to develop and release a patch. This process is crucial for the cybersecurity ecosystem, as it helps close security gaps before they can be maliciously exploited.
QNAP Devices Hacked: A High-Stakes Target
QNAP’s devices proved to be a popular target, with researchers earning a total of $170,000 for successful exploits.
  • $100,000 for a “SOHO Smashup”: The largest single payout went to Team DDOS, who used a chain of eight different bugs to exploit both a QNAP Qhora-322 router and a QNAP TS-453E NAS. This “SOHO Smashup” category is particularly concerning for home and small business users, as it demonstrates how an attacker could move from a compromised router to other devices on the internal network.
  • $40,000 for Code Injections: The DEVCORE Research Team and Intern Program also targeted the QNAP TS-453E, using multiple injections and a format string bug to achieve their goal.
  • $20,000 for a Single Bug: Researcher Chumy Tsai from CyCraft Technology successfully exploited the same device with a single code injection bug, proving that even a single flaw can lead to full compromise.
  • $10,000 for a Known Vulnerability: A team of researchers earned a reduced prize for exploiting the QNAP TS-453E with a bug that had been previously seen in the contest.
Synology Devices: A Range of Exploits
Synology’s devices were also successfully targeted, with researchers earning a total of $165,000 in prize money.
  • $50,000 for a Pair of Bugs: The highest payout for a Synology device went to the Summoning Team for exploiting the Synology ActiveProtect Appliance DP320 with a pair of bugs.
  • $40,000 for Code Execution: Researcher Sina Kheirkhah of the Summoning Team used a pair of bugs to get code execution on the Synology DS925+.
  • $40,000 for a Stack Overflow: The Synology BeeStation Plus was exploited with a stack overflow, earning the researchers from Synacktiv a substantial prize.
  • $20,000 for an Auth Bypass: The Verichains Cyber Force team used an authentication bypass and a second bug to exploit the Synology DS925+ and gain root access.
  • $15,000 for a Known Bug: The Summoning Team successfully exploited the Synology CC400W camera, but since the bug was known to the vendor, they received a reduced prize.
What This Means for NAS Users: The Takeaway
The most important takeaway for every NAS owner is to take security seriously. Pwn2Own demonstrates that even leading manufacturers like QNAP and Synology have vulnerabilities. While the specific exploits used were zero-day attacks—meaning they were previously unknown—they highlight the need for a layered security approach.
Here are the most basic and effective measures every NAS owner should take:
  • Patch Immediately: Always install security updates and firmware patches from the manufacturer as soon as they are released. The vendors are now working to patch these specific vulnerabilities, and users should update their systems promptly.
  • Limit External Access: Do not expose your NAS directly to the internet. If you need remote access, use a secure VPN or a modern, encrypted remote access tool.
  • Use Strong Access Controls: Implement a strong, unique password and enable multi-factor authentication (MFA) on every possible account and service.
  • Disable Unnecessary Services: Turn off any services, applications, or ports that are not actively in use. This reduces the “attack surface” of the device, giving hackers fewer entry points to target.
Pwn2Own is a great example of how security researchers play a vital role in making our devices safer. While these results may seem alarming, they are a powerful reminder that vigilance and regular patching are the best defense against evolving cyber threats.


If you like this service, please consider supporting us.
We use affiliate links on the blog allowing NAScompares information and advice service to be free of charge to you. Anything you purchase on the day you click on our links will generate a small commission which is used to run the website. Here is a link for Amazon and B&H. You can also get me a ☕ Ko-fi or old school Paypal. Thanks! To find out more about how to support this advice service check HERE   If you need to fix or configure a NAS, check Fiver   Have you thought about helping others with your knowledge? Find Instructions Here  

☕ WE LOVE COFFEE ☕

Or support us by using our affiliate links on Amazon UK and Amazon US
     

locked content ko-fi subscribe

Discover more from NAS Compares

Subscribe to get the latest posts sent to your email.


DISCUSS with others your opinion about this subject.
ASK questions to NAS community
SHARE more details what you have found on this subject
CONTRIBUTE with your own article or review. Click HERE
IMPROVE this niche ecosystem, let us know what to change/fix on this site
EARN KO-FI Share your knowledge with others and get paid for it! Click HERE

ASK YOUR QUESTIONS HERE!