Pwn2Own Disclosure: Authentication Bypass in QNAP QHora-322 Routers (CVE-2025-62844)
QNAP has patched an authentication bypass vulnerability in QHora-322 routers, disclosed at Pwn2Own, that allows remote attackers to authenticate using an arbitrary QCloud account.
QNAP has released a security update to address CVE-2025-62844, an authentication bypass vulnerability in QHora-322 routers that was disclosed as part of the Pwn2Own hacking competition. The flaw, reported by researchers Bongeun Koo and Evangelos Daravigkas of Team DDOS, allows remote attackers to bypass authentication without needing valid credentials.
The vulnerability resides in the `login.newAuthMiddleware.Authenticator` endpoint, specifically in how the `qurouter_token` parameter is handled. The issue stems from the router allowing a user to authenticate using an arbitrary QCloud account. This means an attacker can supply a token for any QCloud account—not necessarily one associated with the device—and be granted authenticated access.
While the CVSS score for this vulnerability is 5.6 (medium severity), the practical risk is elevated because the attack requires no authentication and can be chained with other vulnerabilities. An attacker who successfully exploits this bypass could gain unauthorized access to the router's administrative interface, potentially leading to further compromise of the network.
The vulnerability was reported to QNAP on November 18, 2025, and the coordinated public disclosure occurred on March 30, 2026. QNAP has issued a security advisory (QSA-26-12) with details on the fix. Users of QHora-322 routers are strongly advised to apply the update as soon as possible.
This disclosure highlights the ongoing value of Pwn2Own in surfacing critical vulnerabilities in widely deployed network devices. The QHora-322 is a popular multi-WAN router used in both home and small business environments, making it an attractive target for attackers. The ability to bypass authentication without credentials is a particularly dangerous class of flaw, as it can serve as an entry point for more sophisticated attacks.
As with all network infrastructure, keeping firmware up to date is essential. QNAP has provided clear instructions for updating the QHora-322, and users should verify that the update is applied promptly to mitigate the risk of exploitation.