QNAP QHora-322 Authentication Bypass Vulnerability (CVE-2025-62845) Patched After Pwn2Own Discovery
QNAP has released a security update for the QHora-322 router to fix an authentication bypass vulnerability (CVE-2025-62845) discovered at Pwn2Own Berlin 2026 by Team DDOS.
QNAP has issued a security update to address a critical authentication bypass vulnerability in the QHora-322 router, tracked as CVE-2025-62845. The flaw was discovered and demonstrated at the Pwn2Own Berlin 2026 hacking contest by researchers Bongeun Koo and Evangelos Daravigkas of Team DDOS, who earned a bounty for their work.
The vulnerability resides in the qvpn_db_mgr endpoint of the router's firmware. Specifically, the role_type parameter fails to properly neutralize escape sequences, allowing an authenticated attacker to bypass the QBelt VPN authentication mechanism. While the vulnerability requires some level of authentication to exploit, the bypass effectively nullifies that requirement, enabling unauthorized access to VPN services.
QNAP has assigned the issue a CVSS score of 6.3 (medium severity), with the vector AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. This indicates the attack can be launched remotely over the network, requires low complexity, and can be executed with low privileges and no user interaction. The impact is limited to low-level compromise of confidentiality, integrity, and availability.
The QHora-322 is a multi-WAN VPN router designed for small and medium businesses, offering features such as QBelt VPN for secure remote access. The router is widely deployed in enterprise edge environments, making this vulnerability particularly concerning for organizations relying on QNAP's VPN solutions for remote connectivity.
QNAP has released a security advisory (QSA-26-12) detailing the fix and urging users to update their QHora-322 firmware immediately. The coordinated disclosure timeline shows the vulnerability was reported to QNAP on November 18, 2025, with the public advisory released on March 30, 2026. Users can find the update and further details on QNAP's security advisory page.
This discovery at Pwn2Own highlights the ongoing importance of hardware security research in uncovering flaws in network appliances. The contest, which awarded over $1.3 million for 47 zero-days across enterprise and AI products, continues to drive responsible disclosure and rapid patching. QNAP's prompt response in issuing a fix within four months of the report demonstrates a commitment to addressing researcher-discovered vulnerabilities.