QNAP QHora-322 qvpn_db_mgr username SQL Injection Remote Code Execution Vulnerability

A critical vulnerability in QNAP QHora-322 routers (CVE-2025-62846) allows remote attackers to execute arbitrary code despite the presence of authentication protections, which can be bypassed. An attacker exploiting this flaw gains complete code execution capability on the affected device, potentially compromising network security and all connected systems. Security teams should immediately prioritize patching these routers and review QNAP's advisory for available updates, while considering network segmentation to limit exposure until fixes are deployed.