QNAP TS-453E Path Traversal Flaw (CVE-2025-62842) Allows Remote Code Execution as Admin
A path traversal vulnerability in QNAP TS-453E devices, disclosed at Pwn2Own, allows network-adjacent attackers to execute arbitrary code as the RR2 administrator by bypassing authentication.
A critical vulnerability in QNAP TS-453E network-attached storage devices has been disclosed, allowing network-adjacent attackers to execute arbitrary code with administrative privileges. The flaw, tracked as CVE-2025-62842 and documented in ZDI-26-243, was demonstrated at the Pwn2Own hacking contest by researchers from Team DDOS.
The vulnerability resides in the `write_file_to_svr` method of the QNAP TS-453E firmware. The issue stems from improper validation of user-supplied file paths, enabling an attacker to control file operations and write arbitrary files to the system. Although authentication is required, the advisory notes that the existing authentication mechanism can be bypassed, making exploitation feasible for network-adjacent attackers.
Successful exploitation allows an attacker to execute arbitrary code in the context of the RR2 administrator, granting full control over the device. This could lead to data theft, ransomware deployment, or use of the device as a pivot point for further attacks on the network. The CVSS score for this vulnerability is 6.8, reflecting the need for network adjacency and high privileges, but the authentication bypass reduces the effective difficulty.
QNAP has released a security update to address the vulnerability, detailed in advisory QSA-25-46. Users of the TS-453E are strongly urged to apply the patch immediately. The disclosure timeline shows the vulnerability was reported to QNAP on November 18, 2025, with coordinated public release on March 30, 2026.
The vulnerability was discovered and reported by Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS, who demonstrated the exploit at Pwn2Own. This contest has historically highlighted critical flaws in widely used enterprise and consumer devices, prompting vendors to issue timely patches.
This disclosure underscores the importance of proper input validation in network-attached storage devices, which often hold sensitive data and are frequently targeted by attackers. QNAP has faced similar vulnerabilities in the past, making it crucial for administrators to maintain up-to-date firmware and restrict network access to trusted devices only.