Critical QNAP QVR Pro Vulnerability Exposes Systems to Remote Attacks

Critical QNAP QVR Pro Vulnerability Exposes Systems to Remote Attacks

First seen 23 Mar 2026, 12:36 UTC GbhackersHeise.DeCybersecuritynewsStoragenewsletter 86% similarity 72.9

Article Content

Browse articles
ThreatCluster

QNAP has issued an urgent advisory regarding a critical vulnerability in its QVR Pro application, disclosed on March 21, 2026, identified as CVE-2026-22898. This flaw allows unauthorized remote attackers to access systems without authentication due to a missing security check. Affected systems include those running QVR Pro version 2.7.x, which is widely used for network video surveillance. The vulnerability could enable attackers to view surveillance feeds, alter configurations, or delete video archives, posing significant risks to both physical security and corporate data integrity. Fortunately, QNAP has released a patch in version 2.7.4.1485 to address this issue. Organizations are urged to update their systems immediately to mitigate potential exploitation. Other vulnerabilities in QNAP's software also exist, but the QVR Pro flaw is considered the most critical. As of now, there are no reports of active exploitation of this vulnerability.

Key Points: • CVE-2026-22898 allows remote access without authentication in QVR Pro. • Patch available in QVR Pro version 2.7.4.1485; immediate updates are recommended. • No reports of active exploitation have been confirmed yet.

ThreatCluster AI

Timeline

2026-03-20
CVE-2026-22898 published
2026-03-20
CVE-2025-62845 published
2026-03-20
CVE-2026-22900 published
2026-03-20
CVE-2026-22901 published
2026-03-21
QNAP disclosed the vulnerability in a security advisory
2026-03-23
QNAP released patch version 2.7.4.1485 to fix the vulnerability

Community

Browse all →