ZDI 2026-03-16

ZDI-26-198: (Pwn2Own) QNAP TS-453E malware_remover Code Injection Remote Code Execution Vulnerability

CVE-2025-11837

Machine-generated analysis · WAYSCloud LLM

Network-adjacent attackers can execute arbitrary code without authentication on QNAP TS-453E devices. The malware_remover component is vulnerable to code injection.

Context

The vulnerability affects the malware_remover component in QNAP TS-453E devices. It allows remote code execution via code injection without requiring authentication.

Operator considerations

Check: Inventory QNAP TS-453E devices for presence of malware_remover component.
Isolate: Segment network to limit access to QNAP TS-453E devices from untrusted networks.

From Zero Day Initiative ↗

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of QNAP TS-453E devices. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-11837.

Read the full advisory on ZDI →