Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
A missing authentication for critical function vulnerability has been reported to affect QVR Pro. The remote attackers can then exploit the vulnerability to gain access to the system.
We have already fixed the vulnerability in the following version: QVR Pro 2.7.4.14 and later
AnalysisAI
QVR Pro contains a missing authentication vulnerability (CWE-306) that allows remote attackers to access critical functions without proper credential validation, potentially gaining unauthorized system access. All versions prior to QVR Pro 2.7.4.14 are affected. This authentication bypass vulnerability enables unauthenticated remote exploitation of a surveillance management platform, representing a direct threat to organizations relying on QVR Pro for video recording and system administration.
Technical ContextAI
QVR Pro is QNAP's professional video recording and management solution, identified via CPE cpe:2.3:a:qnap_systems_inc.:qvr_pro. The vulnerability stems from CWE-306 (Missing Authentication for Critical Function), a root cause classification indicating that certain critical application functions lack proper authentication mechanisms. This suggests that one or more API endpoints, administrative functions, or system configuration interfaces within QVR Pro fail to validate user credentials before processing requests, allowing the application to treat unauthenticated requests as if they were legitimately authenticated. The absence of CVSS scoring in the advisory may indicate this is a pre-disclosure or preliminary report, though the severity is evident from the authentication bypass nature and remote attack vector.
RemediationAI
Immediately upgrade QVR Pro to version 2.7.4.14 or later as provided by QNAP (see security advisory at https://www.qnap.com/en/security-advisory/qsa-26-07). Until patching is completed, implement network-level mitigations including restricting direct network access to QVR Pro systems to trusted administrative networks only, deploying a reverse proxy with mandatory authentication and TLS enforcement, and disabling or isolating any critical functions that do not require authentication. Monitor QVR Pro access logs for evidence of exploitation attempts, particularly requests to administrative or configuration endpoints originating from untrusted sources. If immediate patching is not feasible, consider temporarily taking affected QVR Pro instances offline until the update can be applied.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-13718