QNAP Fixes Unauthenticated Access in QVR Pro and Command Injection in QuNetSwitch
QNAP disclosed two high-severity vulnerabilities affecting its QVR Pro and QuNetSwitch products that could be exploited remotely without authentication or user interaction. CVE-2026-22898 is a missing authentication for critical function flaw in QVR Pro, classified as CWE-306, that can let remote attackers gain access to the system. QNAP said the issue is fixed in QVR Pro 2.7.4.14 and later and published advisory QSA-26-07.
QNAP also addressed CVE-2026-22897, a CWE-78 command injection flaw in QuNetSwitch that could allow remote attackers to execute arbitrary commands on vulnerable devices. The company said the bug was fixed in QuNetSwitch 2.0.4.0415 and later. Both CVE records carry CVSS v4.0 assessments indicating network-based exploitation with low attack complexity, no required privileges, and no user interaction, making prompt patching a priority for exposed systems.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
QNAP fixes QuNetSwitch command injection vulnerability
QNAP said the QuNetSwitch command injection flaw tracked as CVE-2026-22897 was fixed in QuNetSwitch version 2.0.4.0415 and later. The vulnerability enables remote attackers to execute arbitrary commands on affected systems.
QNAP discloses and fixes CVE-2026-22898 in QVR Pro
QNAP disclosed CVE-2026-22898, a missing authentication for critical function vulnerability in QVR Pro that could let remote attackers gain access to the system. The company said the issue was fixed in QVR Pro version 2.7.4.14 and later and published advisory QSA-26-07.
QNAP receives report of QuNetSwitch command injection flaw
QNAP reported that the QuNetSwitch command injection vulnerability later assigned CVE-2026-22897 was received by security@qnapsecurity.com.tw. The flaw allows remote attackers to execute arbitrary commands on vulnerable systems.
ZDI reports QVRPro Plugin RCE flaw to QNAP
Zero Day Initiative reported a remote code execution vulnerability in the QVRPro Plugin on QNAP TS-453E devices to QNAP. The flaw, later tracked as CVE-2026-22898 and ZDI-CAN-28327, could be exploited by network-adjacent unauthenticated attackers to execute code as the postgres user.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Critical QNAP QVR Pro Vulnerability Let Remote Attackers Gain Access to the System
cybersecuritynews.com
Open sourceCVE-2026-22898 - QVR Pro
cvefeed.io
Open sourceCVE-2026-22897 - QuNetSwitch
cvefeed.io
Open sourceZDI-26-292 | Zero Day Initiative
zerodayinitiative.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
QNAP QHora-322 Flaws Enable Authentication Bypass and Root RCE
QNAP disclosed fixes for two vulnerabilities in the **QHora-322** router after public advisories from Trend Micro's Zero Day Initiative linked the bugs to Pwn2Own research by Bongeun Koo and Evangelos Daravigkas of Team DDOS. One flaw, **CVE-2025-62845** (`ZDI-26-240`), affects the `qvpn_db_mgr` endpoint and allows attackers to bypass **QBelt VPN** authentication through improper neutralization of escape sequences in the `role_type` parameter. The issue was rated **CVSS 6.3**. A second flaw, **CVE-2025-62846** (`ZDI-26-241`), also in `qvpn_db_mgr`, stems from improper validation of user input used to build SQL queries, creating a username SQL injection condition that can lead to **remote code execution as root**. ZDI said exploitation nominally requires authentication, but the product's authentication mechanism can be bypassed, making the bugs especially dangerous when chained. QNAP has released updates to remediate the vulnerabilities, and the RCE issue was assigned a **CVSS 8.8** severity score.
Mar 30, 2026
QNAP Patches Multiple Vulnerabilities in License Center and NAS Tools
QNAP has addressed several security vulnerabilities affecting its License Center application and other NAS tools, which could allow attackers to access sensitive information or disrupt services on affected devices. The vulnerabilities, identified as CVE-2025-52871 (out-of-bounds read) and CVE-2025-53597 (buffer overflow), require an attacker to have access to a valid or administrator account, making credential theft or weak passwords a significant risk factor. QNAP has released patches in License Center 2.0.36 and later, urging organizations and home users to update immediately, especially if their NAS devices are accessible from the internet or shared among multiple users. In addition to the License Center flaws, QNAP also patched high-severity SQL injection and path traversal vulnerabilities in its NAS products. These vulnerabilities could have allowed attackers to execute arbitrary code or access restricted files, further emphasizing the importance of timely updates. Users are advised to access the QTS or QuTS hero management interface and apply the latest security updates to mitigate these risks and protect sensitive data stored on QNAP devices.
Mar 21, 2026
QNAP Patches High-Severity Vulnerabilities in NetBak Replicator and Qsync Central
QNAP has addressed two high-severity security vulnerabilities affecting its NetBak Replicator and Qsync Central products. The first vulnerability, tracked as CVE-2025-53595, is an SQL injection flaw in Qsync Central. This vulnerability allows a remote attacker with a user account to execute unauthorized code or commands on the affected system. QNAP has released a fix for this issue in Qsync Central version 5.0.0.2 and later, mitigating the risk of exploitation. The second vulnerability, identified as CVE-2025-57714, impacts NetBak Replicator and is classified as an unquoted search path or element vulnerability. This flaw enables a local attacker with a user account to execute unauthorized code or commands, potentially leading to privilege escalation or further compromise of the system. The vulnerability in NetBak Replicator has been resolved in version 4.5.15.0807 and later. Both vulnerabilities have been assigned high CVSS scores, with the SQL injection in Qsync Central rated at 8.6 and the NetBak Replicator flaw at 8.5, reflecting their significant security impact. QNAP's security advisories recommend that users update to the latest versions of the affected products to ensure protection against these threats. The SQL injection vulnerability in Qsync Central is remotely exploitable, increasing its risk profile, while the NetBak Replicator issue requires local access. No specific details about exploitation in the wild have been reported, but the technical nature of the flaws underscores the importance of prompt patching. The vulnerabilities were reported to QNAP by security researchers and disclosed through official channels, including CVE databases and QNAP's own security team. The advisories do not list the exact affected product versions prior to the fixed releases, but users are urged to verify their software versions and apply updates as soon as possible. QNAP's response demonstrates a commitment to addressing security issues in a timely manner, with coordinated disclosure and clear communication to customers. Organizations using QNAP NetBak Replicator or Qsync Central should review their deployment, assess potential exposure, and implement the recommended updates. The vulnerabilities highlight the ongoing risk of both remote and local exploitation vectors in widely used backup and synchronization software. Security teams are advised to monitor for any signs of compromise and to follow best practices for user account management and software maintenance. The prompt release of patches and public disclosure of these vulnerabilities contribute to the overall security posture of QNAP's user base.
Mar 21, 2026