QNAP QHora-322 Router Flaws Allow Authentication Bypass via Arbitrary QCloud Accounts
Zero Day Initiative advisories disclosed two authentication bypass vulnerabilities in QNAP QHora-322 routers that let a network-adjacent attacker log in using an arbitrary QCloud account without prior authentication. The flaws are tracked as CVE-2024-13088 (ZDI-26-244, ZDI-CAN-25846) and CVE-2025-62844 (ZDI-26-239, ZDI-CAN-28422). One issue affects the miro_webserver_controllers_api_login_singIn function, while the other stems from improper handling of the qurouter_token parameter in the login.newAuthMiddleware.Authenticator endpoint.
The advisories said the bugs were disclosed through the Pwn2Own/ZDI process and could be used on their own or chained with other vulnerabilities to bypass router authentication. ZDI assigned CVSS scores of 5.0 and 5.6 to the issues, and QNAP released fixes and remediation guidance in security advisories QSA-25-15 and QSA-26-12. The second vulnerability was credited to Bongeun Koo and Evangelos Daravigkas of Team DDOS.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
ZDI publicly discloses two QHora-322 authentication bypass vulnerabilities
On March 30, 2026, Zero Day Initiative published coordinated Pwn2Own advisories for two QNAP QHora-322 authentication bypass flaws: CVE-2024-13088 in miro_webserver_controllers_api_login_singIn and CVE-2025-62844 in login.newAuthMiddleware.Authenticator. Both issues allowed a network-adjacent attacker to authenticate using an arbitrary QCloud account without prior authentication.
QNAP receives report of QHora-322 authentication bypass flaw
Zero Day Initiative reported an authentication bypass vulnerability in QNAP QHora-322 routers, tracked as CVE-2024-13088 / ZDI-CAN-25846, to the vendor. The report was submitted on December 13, 2024.
QNAP releases fixes and security advisories for QHora-322 flaws
QNAP issued updates to remediate two authentication bypass vulnerabilities affecting QHora-322 routers and published related advisories QSA-25-15 and QSA-26-12. One flaw was tracked as CVE-2024-13088 and the other as CVE-2025-62844.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
QNAP QHora-322 Flaws Enable Authentication Bypass and Root RCE
QNAP disclosed fixes for two vulnerabilities in the **QHora-322** router after public advisories from Trend Micro's Zero Day Initiative linked the bugs to Pwn2Own research by Bongeun Koo and Evangelos Daravigkas of Team DDOS. One flaw, **CVE-2025-62845** (`ZDI-26-240`), affects the `qvpn_db_mgr` endpoint and allows attackers to bypass **QBelt VPN** authentication through improper neutralization of escape sequences in the `role_type` parameter. The issue was rated **CVSS 6.3**. A second flaw, **CVE-2025-62846** (`ZDI-26-241`), also in `qvpn_db_mgr`, stems from improper validation of user input used to build SQL queries, creating a username SQL injection condition that can lead to **remote code execution as root**. ZDI said exploitation nominally requires authentication, but the product's authentication mechanism can be bypassed, making the bugs especially dangerous when chained. QNAP has released updates to remediate the vulnerabilities, and the RCE issue was assigned a **CVSS 8.8** severity score.
Mar 30, 2026
QNAP Fixes Unauthenticated Access in QVR Pro and Command Injection in QuNetSwitch
QNAP disclosed two high-severity vulnerabilities affecting its **QVR Pro** and **QuNetSwitch** products that could be exploited remotely without authentication or user interaction. **CVE-2026-22898** is a missing authentication for critical function flaw in QVR Pro, classified as `CWE-306`, that can let remote attackers gain access to the system. QNAP said the issue is fixed in **QVR Pro 2.7.4.14** and later and published advisory **QSA-26-07**. QNAP also addressed **CVE-2026-22897**, a `CWE-78` command injection flaw in **QuNetSwitch** that could allow remote attackers to execute arbitrary commands on vulnerable devices. The company said the bug was fixed in **QuNetSwitch 2.0.4.0415** and later. Both CVE records carry **CVSS v4.0** assessments indicating network-based exploitation with low attack complexity, no required privileges, and no user interaction, making prompt patching a priority for exposed systems.
Apr 15, 2026
QNAP Patches Seven Zero-Day Vulnerabilities Exploited at Pwn2Own
QNAP has released security updates to address seven zero-day vulnerabilities in its network-attached storage (NAS) products after these flaws were exploited by security researchers during the Pwn2Own Ireland 2025 competition. The vulnerabilities affected QNAP's QTS and QuTS hero operating systems, as well as key applications including Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync. The exploits were demonstrated by teams such as Summoning Team, DEVCORE, Team DDOS, and a CyCraft technology intern, highlighting the critical nature of these security issues. QNAP has provided patched versions for all affected software and strongly recommends that users update to the latest releases and change all passwords to enhance security. The company has published detailed advisories and instructions for updating both the operating systems and vulnerable applications through the QTS or QuTS hero interface. Regular updates and monitoring of product support status are advised to ensure ongoing protection against similar vulnerabilities.
Mar 21, 2026