ZDI 2026-03-30

ZDI-26-239: (Pwn2Own) QNAP QHora-322 login.newAuthMiddleware.Authenticator Authentication Bypass Vulnerability

CVE-2025-62844

Machine-generated analysis · WAYSCloud LLM

The vulnerability enables remote authentication bypass on QNAP QHora-322 routers without requiring prior authentication.

Context

The affected product is the QNAP QHora-322 router. The vulnerability is an authentication bypass in the login.newAuthMiddleware.Authenticator component. The advisory notes that no authentication is required to exploit the vulnerability. The ZDI assigned a CVSS score of 5.6, indicating a medium severity rating.

Operator considerations

Check: Identify QNAP QHora-322 devices on the network.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to bypass authentication on affected installations of QNAP QHora-322 routers. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.6. The following CVEs are assigned: CVE-2025-62844.

Read the full advisory on ZDI →