Critical QNAP QVR Pro Vulnerability Exposes Surveillance Systems to Remote Attacks
QNAP has issued an urgent security advisory addressing a severe vulnerability (CVE-2026-22898) in its QVR Pro surveillance software, which allows unauthenticated remote attackers to gain unauthorized access to affected systems. The flaw, discovered by security researchers at FuzzingLabs, stems from a missing authentication check in critical functions of the QVR Pro application, enabling threat actors to bypass access controls entirely.
Affected versions include QVR Pro 2.7.x, and exploitation could grant attackers control over surveillance configurations, live or recorded video feeds, and even lateral movement to other connected devices on the network. Given that network-attached storage (NAS) devices are prime targets for ransomware, botnets, and data extortion, unpatched systems face heightened risks of full compromise and malicious payload deployment.
QNAP has released a patch in version 2.7.4.1485, which restores proper authentication checks. Administrators are advised to update immediately via the QTS or QuTS hero interface by navigating to the App Center, locating QVR Pro, and installing the latest version. Successful patch installation should be verified to ensure protection against exploitation.
Source: https://cybersecuritynews.com/qnap-qvr-pro-vulnerability/
QNAP Systems cybersecurity rating report: https://www.rankiteo.com/company/qnap-systems-inc
"id": "QNA1774290227",
"linkid": "qnap-systems-inc",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology (Network-Attached Storage, '
'Surveillance Software)',
'name': 'QNAP',
'type': 'Company'}],
'attack_vector': 'Remote',
'customer_advisories': 'Urgent update advisory for QVR Pro users',
'data_breach': {'sensitivity_of_data': 'High (surveillance footage, system '
'access)',
'type_of_data_compromised': 'Surveillance data (video feeds, '
'configurations)'},
'description': 'QNAP has issued an urgent security advisory addressing a '
'severe vulnerability (CVE-2026-22898) in its QVR Pro '
'surveillance software, which allows unauthenticated remote '
'attackers to gain unauthorized access to affected systems. '
'The flaw stems from a missing authentication check in '
'critical functions of the QVR Pro application, enabling '
'threat actors to bypass access controls entirely. '
'Exploitation could grant attackers control over surveillance '
'configurations, live or recorded video feeds, and lateral '
'movement to other connected devices on the network.',
'impact': {'data_compromised': 'Surveillance configurations, live/recorded '
'video feeds',
'operational_impact': 'Unauthorized access to surveillance '
'systems, potential lateral movement to '
'connected devices',
'systems_affected': 'QVR Pro surveillance software (versions '
'2.7.x)'},
'post_incident_analysis': {'corrective_actions': 'Patch released to restore '
'proper authentication '
'checks',
'root_causes': 'Missing authentication check in '
'QVR Pro critical functions'},
'recommendations': 'Administrators should immediately update to QVR Pro '
'2.7.4.1485 and verify successful patch installation.',
'references': [{'source': 'QNAP Security Advisory'},
{'source': 'FuzzingLabs'}],
'response': {'communication_strategy': 'Urgent security advisory issued',
'containment_measures': 'Patch released (QVR Pro 2.7.4.1485)',
'remediation_measures': 'Update to QVR Pro 2.7.4.1485 via QTS or '
'QuTS hero interface',
'third_party_assistance': 'FuzzingLabs (security researchers)'},
'title': 'Critical QNAP QVR Pro Vulnerability Exposes Surveillance Systems to '
'Remote Attacks',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-22898 (Missing authentication check in '
'QVR Pro)'}