QNAP QHora-322 Authentication Bypass Vulnerability (CVE-2024-13088) Disclosed as Part of Pwn2Own
A critical authentication bypass vulnerability in QNAP QHora-322 routers, CVE-2024-13088, was disclosed on March 30, 2026, as part of the Pwn2Own hacking contest, allowing network-adjacent attackers to authenticate using an arbitrary QCloud account without credentials.
A critical authentication bypass vulnerability in QNAP QHora-322 routers, tracked as CVE-2024-13088, was publicly disclosed on March 30, 2026, as part of the Pwn2Own hacking contest. The flaw, discovered by researcher nella17 (@nella17tw) working with the DEVCORE Internship Program and DEVCORE Research Team, allows network-adjacent attackers to bypass authentication on affected devices without requiring no prior credentials.
The vulnerability resides in the `miro_webserver_webserver_controllers_api_login_singIn` function of the QHora-322 router's web server. The issue stems from the function allowing a user to authenticate using an arbitrary QCloud account without proper validation. An attacker on the same network can exploit this to gain unauthorized access to the router's administrative interface, potentially leading to full device compromise.
QNAP has released a security update to address this vulnerability. The security advisory (QSA-25-15) provides details on the update and its availability. Users are strongly recommends that all QHora-322 users apply the patch as soon as possible to mitigate the risk of exploitation.
The vulnerability was reported to QNAP on December 13, 2024, and the coordinated public release of the advisory occurred on March 30, 2026, aligning with the Pwn2Own disclosure timeline. The CVSS score for CVE-2024-13088 is 5.0 (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating a medium severity with low impact on confidentiality, integrity, and availability.
This disclosure highlights the ongoing risks posed by authentication bypass flaws in network devices, which can serve as entry points for broader network attacks. The involvement of the DEVCORE team, known for their success at Pwn2Own, underscores the importance of rigorous security testing for IoT and networking equipment.
QNAP users should verify their device firmware version and apply the latest security update from the official QNAP website. As with all network devices, maintaining up-to-date firmware and segmenting network access are critical best practices to reduce exposure to such vulnerabilities.