CVE-2025-62846

| EUVD-2025-208901 HIGH
2026-03-20 qnap
7.3
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 20, 2026 - 16:30 euvd
EUVD-2025-208901
Analysis Generated
Mar 20, 2026 - 16:30 vuln.today
CVE Published
Mar 20, 2026 - 16:21 nvd
HIGH 7.3

Tags

SQLi RCE Privilege Escalation Qurouter

Description

An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later

Analysis

An SQL injection vulnerability exists in QNAP QuRouter that allows authenticated local administrators to execute unauthorized code or commands through SQL injection techniques. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires an attacker to first obtain legitimate administrator credentials on the affected device. While no CVSS score or EPSS data is currently published, the SQL injection classification (CWE-89) combined with code execution impact represents a critical risk for compromised administrator accounts.

Technical Context

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), indicating that user-supplied input is not properly sanitized before being incorporated into SQL queries within the QuRouter application. QuRouter is QNAP's network routing and gateway appliance software (identified via CPE cpe:2.3:a:qnap_systems_inc.:qurouter). The SQL injection flaw allows an authenticated administrator to manipulate SQL queries to execute arbitrary commands, likely through administrative interface parameters or configuration fields that interact with the underlying database without proper input validation or parameterized query usage.

Affected Products

QNAP QuRouter versions prior to 2.6.2.007 are affected, as confirmed by the CPE identifier cpe:2.3:a:qnap_systems_inc.:qurouter:*:*:*:*:*:*:*:*. The vendor has confirmed that QuRouter 2.6.2.007 and all later versions contain the fix. Additional affected version details and technical specifics are available in the QNAP security advisory at https://www.qnap.com/en/security-advisory/qsa-26-12.

Remediation

Immediately upgrade QuRouter to version 2.6.2.007 or later using QNAP's official firmware update mechanism (consult https://www.qnap.com/en/security-advisory/qsa-26-12 for download and installation instructions). Until patching is completed, enforce principle of least privilege by restricting administrator account access to trusted personnel only, disable unnecessary administrative interfaces, and monitor administrator account activity for suspicious SQL-like patterns or unusual command execution. Consider isolating QuRouter devices on a protected management network segment to limit the impact of potential administrator account compromise.

Priority Score

37
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +36
POC: 0

Share

CVE-2025-62846 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy