CVE-2026-22898 describes a critical missing authentication vulnerability affecting QVR Pro versions 2.7.0 through 2.7.4.14. Successful exploitation allows remote attackers to gain unauthorized access to the system. This vulnerability has been addressed in QVR Pro version 2.7.4.14 and subsequent releases.
The missing authentication control allows attackers to bypass security measures and directly interact with sensitive system functions within QVR Pro. This could lead to unauthorized data access, modification, or deletion, potentially compromising the integrity and confidentiality of video recordings and related metadata. Depending on the system configuration, an attacker could also leverage this access to move laterally within the network, impacting other connected devices and services. The blast radius extends to any data or functionality accessible through the QVR Pro interface.
CVE-2026-22898 was publicly disclosed on 2026-03-20. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. Monitor QNAP security advisories and threat intelligence feeds for any updates regarding active exploitation campaigns.
Organizations utilizing QVR Pro for video surveillance and recording, particularly those with older versions (2.7.0–2.7.4.14) deployed in environments with limited network segmentation or weak access controls, are at significant risk. Shared hosting environments where multiple users share a single QVR Pro instance are also vulnerable.
• qnap / server:
journalctl -u qvrpro | grep -i "authentication failed"• qnap / server:
ps aux | grep qvrpro• generic web: Check for unusual network traffic directed towards the QVR Pro server using network monitoring tools.
disclosure
Estado del Exploit
EPSS
0.44% (63% percentil)
CISA SSVC
The primary mitigation for CVE-2026-22898 is to immediately upgrade QVR Pro to version 2.7.4.14 or a later, patched release. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing stricter network segmentation to limit external access to the QVR Pro server. Review and strengthen firewall rules to restrict access to only authorized IP addresses. While a WAF might not directly address this authentication bypass, it can help detect and block suspicious traffic patterns associated with exploitation attempts. Verify that all default accounts have strong, unique passwords.
Actualice QVR Pro a la versión 2.7.4.14 o posterior. Esta actualización corrige la vulnerabilidad de autenticación faltante que permite el acceso no autorizado al sistema.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-22898 is a vulnerability in QVR Pro versions 2.7.0–2.7.4.14 where a critical function lacks authentication, allowing attackers to gain system access.
If you are running QVR Pro versions 2.7.0 through 2.7.4.14, you are potentially affected by this vulnerability.
Upgrade QVR Pro to version 2.7.4.14 or a later version to address the missing authentication vulnerability.
Currently, there are no publicly known active exploitation campaigns, but it's crucial to apply the patch promptly.
Refer to the official QNAP security advisory for detailed information and updates regarding CVE-2026-22898.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.