Skip to main content

Qurouter CVE-2025-62846

| EUVDEUVD-2025-208901 HIGH
SQL Injection (CWE-89)
2026-03-20 qnap
7.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:19 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.6.2.007
EUVD ID Assigned
Mar 20, 2026 - 16:30 euvd
EUVD-2025-208901
Analysis Generated
Mar 20, 2026 - 16:30 vuln.today
CVE Published
Mar 20, 2026 - 16:21 nvd
HIGH 7.3

DescriptionCVE.org

An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands.

We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later

AnalysisAI

An SQL injection vulnerability exists in QNAP QuRouter that allows authenticated local administrators to execute unauthorized code or commands through SQL injection techniques. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires an attacker to first obtain legitimate administrator credentials on the affected device. While no CVSS score or EPSS data is currently published, the SQL injection classification (CWE-89) combined with code execution impact represents a critical risk for compromised administrator accounts.

Technical ContextAI

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), indicating that user-supplied input is not properly sanitized before being incorporated into SQL queries within the QuRouter application. QuRouter is QNAP's network routing and gateway appliance software (identified via CPE cpe:2.3:a:qnap_systems_inc.:qurouter). The SQL injection flaw allows an authenticated administrator to manipulate SQL queries to execute arbitrary commands, likely through administrative interface parameters or configuration fields that interact with the underlying database without proper input validation or parameterized query usage.

RemediationAI

Immediately upgrade QuRouter to version 2.6.2.007 or later using QNAP's official firmware update mechanism (consult https://www.qnap.com/en/security-advisory/qsa-26-12 for download and installation instructions). Until patching is completed, enforce principle of least privilege by restricting administrator account access to trusted personnel only, disable unnecessary administrative interfaces, and monitor administrator account activity for suspicious SQL-like patterns or unusual command execution. Consider isolating QuRouter devices on a protected management network segment to limit the impact of potential administrator account compromise.

CVE-2024-50389 CRITICAL
9.5 Dec 06

A SQL injection vulnerability has been reported to affect QuRouter. Rated critical severity (CVSS 9.5), this vulnerabili

CVE-2024-48860 CRITICAL
9.5 Nov 22

An OS command injection vulnerability has been reported to affect several product versions. Rated critical severity (CVS

CVE-2024-13088 HIGH
7.8 Jun 06

CVE-2024-13088 is an improper authentication vulnerability (CWE-287) affecting QHora/QuRouter that allows local network

CVE-2024-50390 HIGH
7.7 Mar 07

A command injection vulnerability has been reported to affect QHora. Rated high severity (CVSS 7.7), this vulnerability

CVE-2024-48861 HIGH
7.3 Nov 22

An OS command injection vulnerability has been reported to affect several product versions. Rated high severity (CVSS 7.

CVE-2024-13087 MEDIUM
6.7 Jun 06

A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have

CVE-2025-62845 MEDIUM
5.6 Mar 20

An improper neutralization of escape, meta, or control sequences vulnerability (CWE-150) affects QNAP QHora/QuRouter dev

CVE-2024-53700 MEDIUM
5.1 Mar 07

A command injection vulnerability has been reported to affect QHora. Rated medium severity (CVSS 5.1), this vulnerabilit

CVE-2025-62844 MEDIUM
4.0 Mar 20

A weak authentication vulnerability exists in QNAP QHora/QuRouter devices that allows attackers with local network acces

CVE-2025-62843 LOW
0.9 Mar 20

An improper restriction of communication channel to intended endpoints vulnerability (CWE-923) has been identified in QN

CVE-2025-29887 HIGH
7.1 Aug 29

A command injection vulnerability has been reported to affect QuRouter 2.5.1. Rated high severity (CVSS 7.1), this vulne

Share

CVE-2025-62846 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy