QNAP has released an urgent security advisory regarding a critical vulnerability affecting its QVR Pro application, a widely deployed network video surveillance solution.
Disclosed on March 21, 2026, under the security advisory identifier QSA-26-07, this severe security flaw could allow unauthorized remote attackers to gain full access to vulnerable systems.
The vulnerability is officially tracked as CVE-2026-22898 and is also known in security circles as ZDI-CAN-28327.
Because surveillance systems inherently process highly sensitive data and monitor physical security environments, administrators must prioritize this patch to protect both their hardware infrastructure and their broader network perimeters.
The flaw was originally discovered and responsibly reported to QNAP by security researchers from FuzzingLabs.
QNAP QVR Pro Flaw
The core of this critical security issue stems from a missing authentication check on a vital application function within the QVR Pro software architecture.
In standard secure operations, software requires strict identity verification before permitting any user to execute high-level system commands.
This specific flaw completely bypasses those essential security checks. By sending specifically crafted network requests, a malicious actor can exploit the weakness and interact directly with the core system without ever needing to supply a valid username or password.
This critical-severity vulnerability affects systems running QVR Pro 2.7.x.
The operational impact of a successful exploit extends significantly beyond just the surveillance application itself.
Once an attacker gains unauthorized system access, they can potentially view private, real-time surveillance feeds, modify camera configurations, or completely delete stored video archives to cover their tracks.
Furthermore, QNAP network attached storage devices often hold vast amounts of proprietary corporate data and are deeply integrated within enterprise networks.
A compromised QVR Pro installation could easily be weaponized as an initial entry point into a corporate environment.
From that foothold, malicious actors might attempt lateral movement to infect other connected servers, steal sensitive databases, or deploy crippling ransomware across the entire organization.
Fortunately, QNAP developers have already addressed the vulnerability in their most recent software rollout, and the status of the flaw is officially marked as resolved.
Organizations utilizing the affected software need to immediately upgrade to QVR Pro version 2.7.4.1485 or any subsequent release to ensure complete protection against remote attacks.
To apply the necessary fix, administrators should log into the QTS or QuTS hero interface using their administrator credentials and launch the App Center.
From there, users can utilize the search box to locate the QVR Pro application. Clicking the update button next to the application name and selecting “OK” on the confirmation prompt will authorize the installation.
The system will then automatically download and apply the secure release. Administrators should note that if the update button is not visible in the App Center, the system is already running an up-to-date and secure version.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
