Pwn2Own Discovery: SQL Injection in QNAP TS-453E Hyper Data Protector Plugin Allows Root RCE
A SQL injection vulnerability in the QNAP TS-453E Hyper Data Protector Plugin, discovered at Pwn2Own, lets authenticated attackers bypass authentication and execute arbitrary code as root.
A critical SQL injection vulnerability in the QNAP TS-453E NAS appliance's Hyper Data Protector Plugin, discovered by researcher Sina Kheirkhah at the Pwn2Own competition, allows authenticated attackers to bypass authentication and execute arbitrary code with root privileges. The flaw, tracked as CVE-2025-59389, was disclosed by the Zero Day Initiative (ZDI) on March 16, 2026, 2026, with a CVSS score of 8.0.
The vulnerability resides in the `query_original_file_size` method of the Hyper Data Protector Plugin. The specific flaw stems from the lack of proper validation of a user-supplied string before it is used to construct SQL queries. An attacker who has already obtained low-privileged access to the NAS can exploit this SQL injection to execute arbitrary commands in the context of the root user, effectively gaining full control over the device.
Although the vulnerability requires authentication to exploit, the advisory notes that the existing authentication mechanism can be bypassed, lowering the barrier for attackers. The attack vector is network-adjacent, meaning an attacker must be on the same local network as the target QNAP device, but no user interaction is required beyond the initial authentication step.
QNAP has released a security update to address the vulnerability. The advisory directs users to the vendor's security bulletin at QSA-25-48 for patching instructions. The disclosure timeline shows the vulnerability was reported to QNAP on December 15, 2025, and the coordinated public release occurred on March 16, 2026.
The discovery was credited to Sina Kheirkhah (@SinSinology) of the Summoning Team (@SummoningTeam), who demonstrated the exploit at the Pwn2Own hacking contest. Pwn2Own is a well-known competition where researchers earn significant bounties for demonstrating zero-day exploits against widely used products, and this finding adds to the growing list of vulnerabilities uncovered in NAS devices.
NAS appliances like the QNAP devices are increasingly targeted by attackers due to their persistent internet connectivity and the sensitive data they often store. This vulnerability highlights the importance of promptly applying vendor patches and restricting network access to administrative interfaces. Users of the QNAP TS-453E should apply the security update immediately and consider segmenting their NAS devices from untrusted network segments.