QNAP QHora-322 Router SQL Injection Vulnerability (CVE-2025-62846) Patched After Pwn2Own Discovery
A critical SQL injection vulnerability in QNAP QHora-322 routers, discovered during Pwn2Own, allows remote authenticated attackers to execute arbitrary code as root; QNAP has released a security update.
A critical SQL injection vulnerability in QNAP QHora-322 routers, designated CVE-2025-62846, has been disclosed by the Zero Day Initiative (ZDI) after being demonstrated during the Pwn2Own hacking competition. The flaw, which carries a CVSS score of 8.8, allows remote authenticated attackers to execute arbitrary code with root privileges. Although authentication is required, the advisory notes that the existing authentication mechanism can be bypassed, significantly lowering the barrier to exploitation.
The vulnerability resides in the qvpn_db_mgr module of the QHora-322 router. The issue stems from improper validation of user-supplied strings before they are used to construct SQL queries. An attacker can inject malicious SQL commands, leading to remote code execution in the context of the root user. This gives an attacker full control over the affected device, potentially enabling further network compromise.
The vulnerability was discovered and reported by researchers Bongeun Koo (@kiddo_pwn) and Evangelos Daravigkas (@freddo_1337) of Team DDOS, who demonstrated the exploit at Pwn2Own. The disclosure timeline shows the vulnerability was reported to QNAP on November 18, 2025, and a coordinated public release of the advisory occurred on March 30, 2026.
QNAP has issued a security update to address this vulnerability. Users are urged to apply the patch immediately. More details can be found in QNAP's security advisory at QSA-26-12. The advisory also notes that the vulnerability affects the QHora-322 product line.
This vulnerability highlights the ongoing risks in network infrastructure devices, which are often deployed at the network edge and may not receive timely security updates. The involvement of Pwn2Own underscores the value of such competitions in discovering and responsibly disclosing critical flaws before they can be exploited by malicious actors.
Organizations using QNAP QHora-322 routers should prioritize applying the security update to mitigate the risk of remote code execution. Given the authentication bypass potential, even devices with limited exposure should be patched promptly.