Description
A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system.

We have already fixed the vulnerability in the following version:
QVR Pro 2.7.4.14 and later
Published: 2026-03-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Access and Potential Compromise
Action: Patch
AI Analysis

Impact

QNAP QVR Pro has a missing authentication flaw in a critical function. An attacker who reaches the affected system can bypass authentication and obtain access. The vulnerability is a CWE-306 weakness, which can lead to unauthorized use of system resources and data exposure.

Affected Systems

The vulnerability affects QNAP Systems Inc.’s QVR Pro appliance. All versions prior to QVR Pro 2.7.4.14 are considered vulnerable; the manufacturer has released a fix in 2.7.4.14 and later.

Risk and Exploitability

The CVSS score of 9.3 reflects a high potential for exploitation. EPSS is below 1%, indicating low current exploitation probability, and it is not listed in the CISA KEV catalog. The likely attack path requires remote access to the QVR Pro interface and is performed via an authentication bypass, enabling attackers to assume system-level privileges.

Generated by OpenCVE AI on April 14, 2026 at 15:32 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: QVR Pro 2.7.4.14 and later

OpenCVE Recommended Actions

  • Apply the QVR Pro 2.7.4.14 patch or later version immediately
  • Verify the deployment of the new firmware on all QVR Pro devices
  • Monitor authentication logs for any signs of unauthorized access attempts

Generated by OpenCVE AI on April 14, 2026 at 15:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Qnap
Qnap qvr Pro
CPEs cpe:2.3:a:qnap:qvr_pro:*:*:*:*:*:*:*:*
Vendors & Products Qnap
Qnap qvr Pro
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Fri, 27 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems qvr Pro
Vendors & Products Qnap Systems
Qnap Systems qvr Pro

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system. We have already fixed the vulnerability in the following version: QVR Pro 2.7.4.14 and later
Title QVR Pro
Weaknesses CWE-306
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Qnap Qvr Pro
Qnap Systems Qvr Pro
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-03-27T03:55:39.294Z

Reserved: 2026-01-13T07:49:08.784Z

Link: CVE-2026-22898

cve-icon Vulnrichment

Updated: 2026-03-25T14:04:16.756Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T17:16:44.307

Modified: 2026-04-14T14:33:30.040

Link: CVE-2026-22898

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:43:52Z

Weaknesses