QNAP QVR Pro, missing authentication for critical function (QVR Pro Auth Bypass)

Overview

QNAP QVR Pro is the network video recorder (NVR) software that turns QNAP NAS hardware into a surveillance platform, managing IP cameras, live feeds, and recorded footage. CVE-2026-22898 is a critical missing-authentication-for-critical-function flaw (CWE-306) reported to affect QVR Pro 2.7.x. QNAP published advisory QSA-26-07 on March 21, 2026, and the issue (tracked by the Zero Day Initiative as ZDI-CAN-28327) is rated CVSS 3.1 9.8 by NVD (CVSS 4.0 9.3 secondary). Because a sensitive QVR Pro function does not enforce authentication, a remote attacker can reach the system without any credentials. There is no evidence of in-the-wild exploitation at the time of writing, but the network-reachable, no-privilege nature of the flaw makes prompt patching essential, particularly for internet-exposed surveillance deployments.

Technical Details

The vulnerability stems from a critical QVR Pro function that omits an authentication check. An attacker who can send crafted requests to the affected service over the network can invoke that function directly, with no valid username or password required. The NVD primary metrics describe a network attack vector (AV:N), low attack complexity (AC:L), no required privileges (PR:N), and no user interaction (UI:N), with high impact to confidentiality, integrity, and availability (C:H/I:H/A:H), yielding the maximum CVSS 3.1 base score of 9.8. The CVSS 4.0 secondary score of 9.3 likewise reflects high impact to the vulnerable system. Affected builds span QVR Pro 2.7.1.1259 through 2.7.4.1484; QNAP fixed the issue in build 2.7.4.14 and later (packaged as 2.7.4.1485 and above). Successful exploitation gives an attacker access to core QVR Pro functionality, from which surveillance configuration, live video, and recorded footage may be reachable.

Impact

• Unauthenticated, remote access to a critical QVR Pro function over the network.
• Potential access to live and recorded surveillance video feeds.
• Potential manipulation of surveillance configuration and camera/recording settings.
• Risk of lateral movement to other devices on the local network from a compromised NVR host.
• High impact to confidentiality, integrity, and availability of the surveillance system.

Mitigation

1. Update QVR Pro to build 2.7.4.14 or later (QNAP package version 2.7.4.1485 or later) through the QTS/QuTS hero App Center or the QVR Pro update mechanism.
2. In the App Center, open Settings and confirm automatic update is enabled for installed applications so future QVR Pro fixes are applied promptly.
3. Remove direct internet exposure of the NAS and QVR Pro: disable port forwarding/UPnP for the affected service and place the NVR behind a firewall or VPN.
4. Restrict access to the QVR Pro service to trusted management VLANs and source addresses only.
5. After updating, review camera, user, and recording configurations for unauthorized changes and rotate any administrative credentials.

Detection

Begin with version and exposure assessment. Confirm the installed QVR Pro build in the QNAP App Center; any build from 2.7.1.1259 up to 2.7.4.1484 is vulnerable, and 2.7.4.14 / 2.7.4.1485 or later is fixed. Identify whether the NAS or the QVR Pro service is reachable from the internet or from untrusted network segments, since externally exposed instances are the primary risk and should be prioritized for patching and isolation.

For network-based detection, monitor inbound connections to the QVR Pro service ports from unexpected or external source addresses. Requests that successfully invoke administrative or configuration functionality without a preceding authenticated login are the clearest indicator of abuse of this missing-authentication flaw. Where the platform exposes access or web logs, look for requests to QVR Pro endpoints that return success responses but have no associated authenticated session, and for bursts of requests consistent with automated scanning that often follows public disclosure of a NAS/NVR vulnerability.

On the device, review QVR Pro and NAS audit/event logs for new or modified user accounts, changes to camera definitions, altered recording schedules or retention settings, and unexpected export or download of footage. Sudden changes to surveillance configuration that do not correspond to a known administrator action should be treated as suspicious. Watch for unusual outbound connections from the NAS, which could indicate that an attacker is exfiltrating video or using the device as a pivot into the local network.

Because QNAP appliances are frequently targeted at scale, treat any confirmed unauthenticated access as a potential compromise of the wider environment: preserve logs before rotation, capture the current configuration for comparison, and inspect the NAS for unauthorized applications, scheduled jobs, or persistence. After upgrading, validate the fix by confirming that the previously exposed function now requires authentication, and keep monitoring QNAP security advisories (the QSA series) so subsequent QVR Pro and firmware fixes are caught and applied quickly.