Medium

Authentication Bypass in QNAP QHora-322 login.newAuthMiddleware.Authenticator

IdentifiersCVE-2025-62844CWE-287

CVE-2025-62844 is a weak authentication / authentication bypass vulnerability affecting QNAP QHora-322 routers. According to the provided material, the flaw exists in the login.newAuthMiddleware.Authenticator endpoint and specifically stems from improper handling of the qurouter_token parameter. This condition allows a remote attacker to authenticate using an arbitrary QCloud account and bypass normal authentication checks. QNAP also describes the issue as affecting the local network level, where an attacker with LAN access can exploit weak authentication mechanisms to obtain sensitive information. The issue was disclosed via ZDI as ZDI-26-239 (ZDI-CAN-28422).

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to bypass authentication on an affected QNAP QHora-322 device and gain access to sensitive information that should remain protected. The provided context also states the flaw can be chained with other vulnerabilities, increasing the likelihood of broader compromise. The cited CVSS vector (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L) indicates low impacts to confidentiality, integrity, and availability individually, but the practical effect is unauthorized access to protected router functionality and data.

Mitigation

If you can’t patch tonight, do this now.

Apply the vendor patch immediately and follow QNAP security advisory QSA-26-12. Until patching is completed, restrict management-plane exposure to trusted hosts and segments only, minimize or eliminate untrusted LAN access to the router, and monitor for suspicious access to the login.newAuthMiddleware.Authenticator endpoint, especially requests involving the qurouter_token parameter. Because the issue may be chainable with other flaws, reducing adjacent attack surface and limiting administrative interface reachability are important interim measures.

Remediation

Patch, then assume compromise.

QNAP states the vulnerability has been fixed in QuRouter 2.6.2.007 and later. Additional context also notes QNAP addressed the issue in later QuRouter releases, including 2.6.3.009, and published remediation guidance in security advisory QSA-26-12. The primary remediation is to upgrade affected QHora devices to a fixed QuRouter version referenced by QNAP.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

QNAP SystemsQurouterapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app

security affairsNews

Mar 23, 2026

QNAP fixed four vulnerabilities demonstrated at Pwn2Own Ireland 2025

A weak authentication vulnerability in QNAP QHora devices that can allow an attacker with LAN access to retrieve sensitive information.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity1

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-62844

NVD

nvd.nist.gov/vuln/detail/CVE-2025-62844

MITRE CWE · CWE-287

cwe.mitre.org

Vendor Advisory

qnap.com/en/security-advisory/qsa-26-12