QNAP QHora-322 Flaws Enable Authentication Bypass and Root RCE
QNAP disclosed fixes for two vulnerabilities in the QHora-322 router after public advisories from Trend Micro's Zero Day Initiative linked the bugs to Pwn2Own research by Bongeun Koo and Evangelos Daravigkas of Team DDOS. One flaw, CVE-2025-62845 (ZDI-26-240), affects the qvpn_db_mgr endpoint and allows attackers to bypass QBelt VPN authentication through improper neutralization of escape sequences in the role_type parameter. The issue was rated CVSS 6.3.
A second flaw, CVE-2025-62846 (ZDI-26-241), also in qvpn_db_mgr, stems from improper validation of user input used to build SQL queries, creating a username SQL injection condition that can lead to remote code execution as root. ZDI said exploitation nominally requires authentication, but the product's authentication mechanism can be bypassed, making the bugs especially dangerous when chained. QNAP has released updates to remediate the vulnerabilities, and the RCE issue was assigned a CVSS 8.8 severity score.
Timeline
Mar 30, 2026
ZDI publicly discloses QNAP QHora-322 auth bypass and RCE flaws
On March 30, 2026, Zero Day Initiative published advisories ZDI-26-240 and ZDI-26-241 for two QNAP QHora-322 vulnerabilities. The disclosures covered CVE-2025-62845, which can bypass QBelt VPN authentication, and CVE-2025-62846, a SQL injection issue that can enable remote code execution as root.
Mar 30, 2026
QNAP releases updates for QHora-322 vulnerabilities
QNAP released updates to remediate two QHora-322 vulnerabilities: CVE-2025-62845, an authentication bypass in the qvpn_db_mgr endpoint affecting the role_type parameter, and CVE-2025-62846, a username SQL injection in qvpn_db_mgr that can lead to remote code execution as root. The advisories state that fixes were made available before public disclosure.
Mar 30, 2026
ZDI discloses QNAP QHora-322 firewall bypass flaw
On March 30, 2026, Zero Day Initiative published advisory ZDI-26-237 for CVE-2025-62843, a firewall bypass vulnerability in the QNAP QHora-322 router caused by improper handling of IPv6 firewall rules on PPPoE connections. QNAP had already released a fix and published guidance in advisory QSA-26-12; the issue was credited to Bongeun Koo and Evangelos Daravigkas of Team DDOS.
Nov 18, 2025
Researchers report two QNAP QHora-322 flaws to vendor
Bongeun Koo and Evangelos Daravigkas of Team DDOS reported two vulnerabilities affecting the QNAP QHora-322 router to QNAP through the coordinated disclosure process. The vendor report date for the disclosed issues was November 18, 2025.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Sources
Related Stories
QNAP QHora-322 Router Flaws Allow Authentication Bypass via Arbitrary QCloud Accounts
Zero Day Initiative advisories disclosed two authentication bypass vulnerabilities in **QNAP QHora-322** routers that let a network-adjacent attacker log in using an arbitrary **QCloud** account without prior authentication. The flaws are tracked as **CVE-2024-13088** (`ZDI-26-244`, `ZDI-CAN-25846`) and **CVE-2025-62844** (`ZDI-26-239`, `ZDI-CAN-28422`). One issue affects the `miro_webserver_controllers_api_login_singIn` function, while the other stems from improper handling of the `qurouter_token` parameter in the `login.newAuthMiddleware.Authenticator` endpoint. The advisories said the bugs were disclosed through the **Pwn2Own/ZDI** process and could be used on their own or chained with other vulnerabilities to bypass router authentication. ZDI assigned CVSS scores of **5.0** and **5.6** to the issues, and QNAP released fixes and remediation guidance in security advisories **QSA-25-15** and **QSA-26-12**. The second vulnerability was credited to **Bongeun Koo** and **Evangelos Daravigkas** of **Team DDOS**.
1 months ago
QNAP Fixes Unauthenticated Access in QVR Pro and Command Injection in QuNetSwitch
QNAP disclosed two high-severity vulnerabilities affecting its **QVR Pro** and **QuNetSwitch** products that could be exploited remotely without authentication or user interaction. **CVE-2026-22898** is a missing authentication for critical function flaw in QVR Pro, classified as `CWE-306`, that can let remote attackers gain access to the system. QNAP said the issue is fixed in **QVR Pro 2.7.4.14** and later and published advisory **QSA-26-07**. QNAP also addressed **CVE-2026-22897**, a `CWE-78` command injection flaw in **QuNetSwitch** that could allow remote attackers to execute arbitrary commands on vulnerable devices. The company said the bug was fixed in **QuNetSwitch 2.0.4.0415** and later. Both CVE records carry **CVSS v4.0** assessments indicating network-based exploitation with low attack complexity, no required privileges, and no user interaction, making prompt patching a priority for exposed systems.
2 weeks ago
QNAP Patches Multiple Vulnerabilities in License Center and NAS Tools
QNAP has addressed several security vulnerabilities affecting its License Center application and other NAS tools, which could allow attackers to access sensitive information or disrupt services on affected devices. The vulnerabilities, identified as CVE-2025-52871 (out-of-bounds read) and CVE-2025-53597 (buffer overflow), require an attacker to have access to a valid or administrator account, making credential theft or weak passwords a significant risk factor. QNAP has released patches in License Center 2.0.36 and later, urging organizations and home users to update immediately, especially if their NAS devices are accessible from the internet or shared among multiple users. In addition to the License Center flaws, QNAP also patched high-severity SQL injection and path traversal vulnerabilities in its NAS products. These vulnerabilities could have allowed attackers to execute arbitrary code or access restricted files, further emphasizing the importance of timely updates. Users are advised to access the QTS or QuTS hero management interface and apply the latest security updates to mitigate these risks and protect sensitive data stored on QNAP devices.
1 months ago