QNAP QHora-322 Firewall Bypass Vulnerability (CVE-2025-62843) Disclosed via Pwn2Own
A firewall bypass vulnerability in QNAP QHora-322 routers, reported through the Pwn2Own contest, allows unauthenticated network-adjacent attackers to bypass IPv6 firewall rules on PPPoE connections.
A firewall bypass vulnerability (CVE-2025-62843) has been disclosed in QNAP QHora-322 routers, reported through the Pwn2Own contest. The flaw, detailed in an advisory from the Zero Day Initiative (ZDI-26-237), allows network-adjacent attackers to bypass IPv6 firewall rules on PPPoE connections without authentication. With a CVSS score of 6.3, the issue can be chained with other vulnerabilities to achieve remote code execution as root.
The vulnerability resides in the implementation of firewall rules within the QHora-322 router. Specifically, the device fails to properly match IPv6 firewall rules on PPPoE (Point-to-Point Protocol over Ethernet) connections. This oversight allows an attacker on the same network segment to send malicious traffic that should be blocked by the firewall, effectively bypassing security controls. The flaw is classified as an "Improper Restriction of Communication Channel to Intended Endpoints," meaning the router does not adequately restrict network traffic to the intended endpoints as defined by its firewall policies.
Exploitation of this vulnerability does not require authentication, making it particularly dangerous for devices exposed to untrusted network segments. An attacker who successfully bypasses the firewall rules could then leverage this access in conjunction with other vulnerabilities to execute arbitrary code with root privileges. The advisory notes that the vulnerability was reported by researchers Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS, who demonstrated the exploit during the Pwn2Own hacking competition.
QNAP has released a security update to address this vulnerability. The company's advisory (QSA-26-12) provides details on the affected firmware versions and the necessary patches. Users of QNAP QHora-322 routers are strongly advised to apply the update immediately to mitigate the risk of exploitation. The disclosure timeline shows the vulnerability was reported to QNAP on November 18, 2025, with the coordinated public release occurring on March 30, 2026.
This vulnerability highlights the ongoing challenges in securing network infrastructure devices, particularly those that handle both IPv4 and IPv6 traffic. The fact that the flaw was discovered through Pwn2Own underscores the value of such competitions in identifying critical security issues before they can be exploited maliciously. As routers become more complex and feature-rich, the attack surface expands, making regular security updates and proactive vulnerability research essential.
The QHora-322 is a multi-WAN router designed for small and medium businesses, offering features like load balancing and VPN support. Given its role in network edge security, a firewall bypass vulnerability in such a device could have significant implications for network integrity and data confidentiality. The ability to chain this flaw with other vulnerabilities to achieve remote code execution as root further elevates the risk, as it could allow an attacker to completely compromise the router and potentially pivot to other devices on the network.