QNAP TS-453E Format String Bug (CVE-2025-62848) Disclosed as Part of Pwn2Own
A format string vulnerability in QNAP TS-453E NAS devices, disclosed at Pwn2Own, allows network-adjacent attackers to execute arbitrary code as admin.
A format string vulnerability in the conn_log_tool executable on QNAP TS-453E network-attached storage devices has been publicly disclosed as part of the Pwn2Own hacking contest. Tracked as CVE-2025-62848 and assigned a CVSS score of 5.5, the flaw allows network-adjacent attackers to execute arbitrary code in the context of the admin user. The vulnerability was reported by researchers from the DEVCORE Research Team and Internship Program, including YingMuo, HexRabbit, LJP, and nella17.
The specific flaw resides in the handling of the format parameter provided to the conn_log_tool executable. The issue stems from the lack of proper validation of a user-supplied string before using it as a format specifier. While authentication is required to exploit this vulnerability, the advisory notes that the existing authentication mechanism can be bypassed, lowering the practical barrier to exploitation. An attacker can leverage this format string bug in conjunction with other vulnerabilities to achieve remote code execution.
QNAP has released a security update to address the vulnerability, detailed in advisory QSA-25-45. The update is available for download from QNAP's official security advisory page. Users of the TS-453E are strongly advised to apply the patch as soon as possible to mitigate the risk of exploitation. The disclosure timeline shows the vulnerability was reported to QNAP on November 18, 2025, with coordinated public release on March 16, 2026.
The TS-453E is a popular mid-range NAS device used by small businesses and home users for data storage, backup, and media streaming. While the CVSS score of 5.5 is moderate, the ability to bypass authentication and execute code as admin makes this a serious threat, especially in environments where NAS devices are exposed to internal networks or accessible from adjacent networks. The Pwn2Own context underscores the real-world exploitability of the bug.
This disclosure is part of a broader trend of vulnerabilities being uncovered in network-attached storage devices, which often run complex software stacks and are frequently targeted by attackers seeking persistent access to sensitive data. QNAP has been proactive in issuing patches, but the onus remains on users to keep their devices updated. The involvement of the DEVCORE team, which won the Pwn2Own Berlin 2026 contest, highlights the high caliber of research behind this finding.
In summary, CVE-2025-62848 represents a significant security risk for QNAP TS-453E users. The combination of a format string vulnerability, authentication bypass, and the ability to execute code as admin makes it a prime target for attackers. Immediate patching is recommended to prevent potential compromise.