Pwn2Own Discovery: Hard-Coded Credentials in QNAP TS-453E Hyper Data Protector Plugin Allow Authentication Bypass
A hard-coded credentials vulnerability in the QNAP TS-453E Hyper Data Protector Plugin, discovered at Pwn2Own, lets network-adjacent attackers bypass authentication without any credentials.
A critical vulnerability in the QNAP TS-453E network-attached storage device, discovered during the Pwn2Own hacking competition, allows network-adjacent attackers to bypass authentication entirely. The flaw, tracked as CVE-2025-59388, resides in the configuration of Bareos by the Hyper Data Protector Plugin and stems from the use of hard-coded credentials. No prior authentication is required to exploit the issue, making it a serious threat to enterprise and home-office NAS deployments.
The vulnerability was reported by Sina Kheirkhah of the Summoning Team and disclosed by the Zero Day Initiative (ZDI) on March 16, 2026, under advisory ZDI-26-201. According to the advisory, the specific flaw exists within the configuration of Bareos by the Hyper Data Protector Plugin. The issue results from the use of hard-coded credentials, which an attacker can leverage to bypass authentication on the system. The CVSS score for this vulnerability is 6.3, with a vector of AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L, indicating medium severity but low attack complexity.
QNAP has released a security update to address the vulnerability, detailed in advisory QSA-25-48. The update is available through coordinated disclosure timeline shows the vulnerability was reported to QNAP on November 18, 2025, with the public advisory released on March 16, 2026. Users of the QNAP TS-453E are strongly urged to apply the update immediately to mitigate the risk of unauthorized access.
The discovery of this vulnerability at Pwn2Own highlights the ongoing value of such competitions in uncovering critical flaws in widely deployed devices. Pwn2Own Berlin 2026 saw researchers earn $1.3 million for 47 zero-days across enterprise and AI products, with the QNAP flaw being one of many uncovered. The use of hard-coded credentials remains a persistent weakness in embedded systems, often overlooked during development but easily exploited by attackers.
For QNAP users, the immediate step is to apply the QSA-25-48 update. Beyond patching, organizations should consider network segmentation to limit exposure of NAS devices to untrusted networks, as the vulnerability is exploitable from adjacent networks. The ZDI advisory notes that the flaw allows attackers to bypass authentication, potentially leading to data access, modification, or further compromise of the device.
This vulnerability serves as a reminder of the importance of secure credential management in IoT and embedded devices. Hard-coded credentials are a well-known anti-pattern, yet they continue to appear in products from major vendors. The Pwn2Own discovery process ensures that such flaws are responsibly disclosed and patched before they can be widely exploited in the wild.