QNAP QHora-322 Flaws Enable Authentication Bypass and Root RCE
QNAP disclosed fixes for two vulnerabilities in the QHora-322 router after public advisories from Trend Micro's Zero Day Initiative linked the bugs to Pwn2Own research by Bongeun Koo and Evangelos Daravigkas of Team DDOS. One flaw, CVE-2025-62845 (ZDI-26-240), affects the qvpn_db_mgr endpoint and allows attackers to bypass QBelt VPN authentication through improper neutralization of escape sequences in the role_type parameter. The issue was rated CVSS 6.3.
A second flaw, CVE-2025-62846 (ZDI-26-241), also in qvpn_db_mgr, stems from improper validation of user input used to build SQL queries, creating a username SQL injection condition that can lead to remote code execution as root. ZDI said exploitation nominally requires authentication, but the product's authentication mechanism can be bypassed, making the bugs especially dangerous when chained. QNAP has released updates to remediate the vulnerabilities, and the RCE issue was assigned a CVSS 8.8 severity score.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
ZDI publicly discloses QNAP QHora-322 auth bypass and RCE flaws
On March 30, 2026, Zero Day Initiative published advisories ZDI-26-240 and ZDI-26-241 for two QNAP QHora-322 vulnerabilities. The disclosures covered CVE-2025-62845, which can bypass QBelt VPN authentication, and CVE-2025-62846, a SQL injection issue that can enable remote code execution as root.
QNAP releases updates for QHora-322 vulnerabilities
QNAP released updates to remediate two QHora-322 vulnerabilities: CVE-2025-62845, an authentication bypass in the qvpn_db_mgr endpoint affecting the role_type parameter, and CVE-2025-62846, a username SQL injection in qvpn_db_mgr that can lead to remote code execution as root. The advisories state that fixes were made available before public disclosure.
ZDI discloses QNAP QHora-322 firewall bypass flaw
On March 30, 2026, Zero Day Initiative published advisory ZDI-26-237 for CVE-2025-62843, a firewall bypass vulnerability in the QNAP QHora-322 router caused by improper handling of IPv6 firewall rules on PPPoE connections. QNAP had already released a fix and published guidance in advisory QSA-26-12; the issue was credited to Bongeun Koo and Evangelos Daravigkas of Team DDOS.
Researchers report two QNAP QHora-322 flaws to vendor
Bongeun Koo and Evangelos Daravigkas of Team DDOS reported two vulnerabilities affecting the QNAP QHora-322 router to QNAP through the coordinated disclosure process. The vendor report date for the disclosed issues was November 18, 2025.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
ZDI-26-241 | Zero Day Initiative
zerodayinitiative.com
Open sourceZDI-26-237 | Zero Day Initiative
zerodayinitiative.com
Open sourceZDI-26-240 | Zero Day Initiative
zerodayinitiative.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
QNAP QHora-322 Router Flaws Allow Authentication Bypass via Arbitrary QCloud Accounts
Zero Day Initiative advisories disclosed two authentication bypass vulnerabilities in **QNAP QHora-322** routers that let a network-adjacent attacker log in using an arbitrary **QCloud** account without prior authentication. The flaws are tracked as **CVE-2024-13088** (`ZDI-26-244`, `ZDI-CAN-25846`) and **CVE-2025-62844** (`ZDI-26-239`, `ZDI-CAN-28422`). One issue affects the `miro_webserver_controllers_api_login_singIn` function, while the other stems from improper handling of the `qurouter_token` parameter in the `login.newAuthMiddleware.Authenticator` endpoint. The advisories said the bugs were disclosed through the **Pwn2Own/ZDI** process and could be used on their own or chained with other vulnerabilities to bypass router authentication. ZDI assigned CVSS scores of **5.0** and **5.6** to the issues, and QNAP released fixes and remediation guidance in security advisories **QSA-25-15** and **QSA-26-12**. The second vulnerability was credited to **Bongeun Koo** and **Evangelos Daravigkas** of **Team DDOS**.
Mar 30, 2026
QNAP Fixes Unauthenticated Access in QVR Pro and Command Injection in QuNetSwitch
QNAP disclosed two high-severity vulnerabilities affecting its **QVR Pro** and **QuNetSwitch** products that could be exploited remotely without authentication or user interaction. **CVE-2026-22898** is a missing authentication for critical function flaw in QVR Pro, classified as `CWE-306`, that can let remote attackers gain access to the system. QNAP said the issue is fixed in **QVR Pro 2.7.4.14** and later and published advisory **QSA-26-07**. QNAP also addressed **CVE-2026-22897**, a `CWE-78` command injection flaw in **QuNetSwitch** that could allow remote attackers to execute arbitrary commands on vulnerable devices. The company said the bug was fixed in **QuNetSwitch 2.0.4.0415** and later. Both CVE records carry **CVSS v4.0** assessments indicating network-based exploitation with low attack complexity, no required privileges, and no user interaction, making prompt patching a priority for exposed systems.
Apr 15, 2026
QNAP Patches Multiple Vulnerabilities in License Center and NAS Tools
QNAP has addressed several security vulnerabilities affecting its License Center application and other NAS tools, which could allow attackers to access sensitive information or disrupt services on affected devices. The vulnerabilities, identified as CVE-2025-52871 (out-of-bounds read) and CVE-2025-53597 (buffer overflow), require an attacker to have access to a valid or administrator account, making credential theft or weak passwords a significant risk factor. QNAP has released patches in License Center 2.0.36 and later, urging organizations and home users to update immediately, especially if their NAS devices are accessible from the internet or shared among multiple users. In addition to the License Center flaws, QNAP also patched high-severity SQL injection and path traversal vulnerabilities in its NAS products. These vulnerabilities could have allowed attackers to execute arbitrary code or access restricted files, further emphasizing the importance of timely updates. Users are advised to access the QTS or QuTS hero management interface and apply the latest security updates to mitigate these risks and protect sensitive data stored on QNAP devices.
Mar 21, 2026