QNAP TS-453E NAS Vulnerability Disclosed After Pwn2Own Exploitation
A new information disclosure vulnerability in the QNAP TS-453E NAS device, discovered during Pwn2Own, allows network-adjacent attackers to leak sensitive data via error messages, even bypassing authentication.
A new information disclosure vulnerability in the QNAP TS-453E NAS device has been publicly disclosed by the Zero Day Initiative (ZDI) as ZDI-26-242, following its discovery during the Pwn2Own hacking competition. Tracked as CVE-2025-62840, the flaw resides in the `server_handlers.pyc` endpoint` and allows network-adjacent attackers to leak sensitive information through error messages, even when authentication is required. The vulnerability was reported by researchers Bongeun Koo and Evangelos Daravigkas of Team DDOS.
The specific flaw exists within the handling of the `rr2s.kwargs` parameter provided to the `server_handlers.pyc` endpoint. The issue results from outputting an error message that includes sensitive information. Although authentication is required to exploit, the existing authentication mechanism can be bypassed, making the flaw exploitable without valid credentials. An attacker can leverage this information disclosure in conjunction with other vulnerabilities to execute arbitrary code in the context of the RR2 administrator.
The vulnerability carries a CVSS score of 3.5 (AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N), indicating a low severity but with a low attack complexity and no user interaction required. The attack vector is adjacent network, meaning the attacker must be on the same local network as the target device. This makes the flaw particularly dangerous for enterprise environments where NAS devices are often deployed on internal networks with limited segmentation.
QNAP has released a security update to address this vulnerability, detailed in advisory QSA-25-46. The update is available through the company's official security advisory page. Users of the TS-453E are strongly advised to apply the patch immediately to mitigate the risk of information disclosure and potential follow-on attacks.
The disclosure timeline shows the vulnerability was reported to QNAP on November 18, 2025, with the coordinated public release occurring on March 30, 2026. This five-month window allowed QNAP to develop and distribute the fix before the details were made public. The advisory was updated on the same day as the public release.
This disclosure highlights the ongoing importance of security research competitions like Pwn2Own in identifying and fixing vulnerabilities in widely used consumer and enterprise devices. The QNAP TS-453E is a popular network-attached storage device used by both home users and small businesses, making the discovery of even low-severity flaws significant for the security posture of many organizations.