ZDI 2026-03-30

ZDI-26-242: (Pwn2Own) QNAP TS-453E server_handlers.pyc rr2s.kwargs Error Message Information Disclosure Vulnerability

CVE-2025-62840

Machine-generated analysis · WAYSCloud LLM

The vulnerability involves an information disclosure in the server_handlers.pyc rr2s.kwargs component of QNAP TS-453E devices, where authentication can be bypassed despite being nominally required.

Context

The affected product is the QNAP TS-453E, specifically the server_handlers.pyc rr2s.kwargs component. The vulnerability is an information disclosure that can be exploited by network-adjacent attackers. The advisory notes that authentication is required but can be bypassed. Worth noting is that the CVSS score is relatively low at 3.5, indicating limited impact or exploitability constraints.

Operator considerations

Check: Verify if QNAP TS-453E devices are running unpatched versions with the vulnerable server_handlers.pyc component.

From Zero Day Initiative ↗

This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of QNAP TS-453E devices. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 3.5. The following CVEs are assigned: CVE-2025-62840.

Read the full advisory on ZDI →