CVE-2026-22898 describes a critical missing authentication vulnerability affecting QVR Pro versions 2.7.0 through 2.7.4.14. Successful exploitation allows remote attackers to gain unauthorized access to the system. This vulnerability has been addressed in QVR Pro version 2.7.4.14 and subsequent releases.
The missing authentication control allows attackers to bypass security measures and directly interact with sensitive system functions within QVR Pro. This could lead to unauthorized data access, modification, or deletion, potentially compromising the integrity and confidentiality of video recordings and related metadata. Depending on the system configuration, an attacker could also leverage this access to move laterally within the network, impacting other connected devices and services. The blast radius extends to any data or functionality accessible through the QVR Pro interface.
CVE-2026-22898 was publicly disclosed on 2026-03-20. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. Monitor QNAP security advisories and threat intelligence feeds for any updates regarding active exploitation campaigns.
Organizations utilizing QVR Pro for video surveillance and recording, particularly those with older versions (2.7.0–2.7.4.14) deployed in environments with limited network segmentation or weak access controls, are at significant risk. Shared hosting environments where multiple users share a single QVR Pro instance are also vulnerable.
• qnap / server:
journalctl -u qvrpro | grep -i "authentication failed"• qnap / server:
ps aux | grep qvrpro• generic web: Check for unusual network traffic directed towards the QVR Pro server using network monitoring tools.
disclosure
Status do Exploit
EPSS
0.44% (percentil 63%)
CISA SSVC
The primary mitigation for CVE-2026-22898 is to immediately upgrade QVR Pro to version 2.7.4.14 or a later, patched release. If an immediate upgrade is not feasible due to compatibility concerns or system downtime requirements, consider implementing stricter network segmentation to limit external access to the QVR Pro server. Review and strengthen firewall rules to restrict access to only authorized IP addresses. While a WAF might not directly address this authentication bypass, it can help detect and block suspicious traffic patterns associated with exploitation attempts. Verify that all default accounts have strong, unique passwords.
Atualize o QVR Pro para a versão 2.7.4.14 ou posterior. Esta atualização corrige a vulnerabilidade de autenticação faltante que permite o acesso não autorizado ao sistema.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-22898 is a vulnerability in QVR Pro versions 2.7.0–2.7.4.14 where a critical function lacks authentication, allowing attackers to gain system access.
If you are running QVR Pro versions 2.7.0 through 2.7.4.14, you are potentially affected by this vulnerability.
Upgrade QVR Pro to version 2.7.4.14 or a later version to address the missing authentication vulnerability.
Currently, there are no publicly known active exploitation campaigns, but it's crucial to apply the patch promptly.
Refer to the official QNAP security advisory for detailed information and updates regarding CVE-2026-22898.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.