ZDI 2026-03-30

ZDI-26-243: (Pwn2Own) QNAP TS-453E write_file_to_svr External Control of File Path Remote Code Execution Vulnerability

CVE-2025-62842

Machine-generated analysis · WAYSCloud LLM

The vulnerability affects QNAP TS-453E devices and involves external control of a file path via the write_file_to_svr function, potentially allowing remote code execution.

Context

The affected product is the QNAP TS-453E, a network-attached storage device. The vulnerability is an external control of file path issue in the write_file_to_svr function that can lead to remote code execution. Authentication is required but can be bypassed, according to the advisory. The ZDI assigned a CVSS score of 6.8, indicating a medium severity rating.

Operator considerations

Check: Verify if QNAP TS-453E devices are in use and whether they are exposed to network-adjacent access.

From Zero Day Initiative ↗

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of QNAP TS-453E devices. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 6.8. The following CVEs are assigned: CVE-2025-62842.

Read the full advisory on ZDI →