QNAP TS-453E SQL Injection Vulnerability (CVE-2025-62849) Disclosed After Pwn2Own Exploit
A critical SQL injection vulnerability in QNAP TS-453E NAS devices, discovered during Pwn2Own Berlin 2026, allows authenticated network-adjacent attackers to execute arbitrary code as admin.
QNAP has disclosed a critical SQL injection vulnerability in its TS-453E network-attached storage (NAS) devices, tracked as CVE-2025-62849 and assigned a CVSS score of 8.0. The flaw was discovered and demonstrated during the Pwn2Own Berlin 2026 hacking competition by a team of researchers from the DEVCORE Internship Program, including YingMuo, HexRabbit, LJP, and nella17. The vulnerability resides in the `nvrlog_event_add` endpoint, where the `msg` parameter is not properly validated before being used in SQL queries.
The specific flaw allows an attacker who has already gained authenticated access to the device—or who has bypassed the authentication mechanism—to inject malicious SQL commands. By exploiting this SQL injection, the attacker can execute arbitrary code in the context of the admin user, effectively gaining full control over the NAS device. The attack requires network adjacency, meaning the attacker must be on the same local network segment as the target device, but no user interaction is needed.
QNAP TS-453E devices are popular in small-to-medium business environments and home offices for centralized data storage, backup, and multimedia serving. The ability to achieve remote code execution as admin on such a device could allow attackers to exfiltrate sensitive data, deploy ransomware, or pivot to other systems on the same network. The vulnerability is particularly concerning because authentication can be bypassed, lowering the barrier to exploitation.
QNAP has released a security update to address the vulnerability, detailed in advisory QSA-25-45. Users of the TS-453E are strongly urged to apply the patch immediately. The advisory provides instructions for updating the QTS operating system to the latest version that includes the fix. As of the disclosure date, there are no reports of active exploitation in the wild, but the public release of the advisory and the high-profile nature of the Pwn2Own demonstration increase the likelihood of attackers attempting to reverse-engineer the exploit.
The disclosure timeline shows that the vulnerability was reported to QNAP on November 18, 2025, and the coordinated public release occurred on March 16, 2026. The advisory was updated the following day. This four-month window between reporting and disclosure is typical for coordinated vulnerability disclosure, allowing the vendor time to develop and test a patch.
The discovery of CVE-2025-62849 at Pwn2Own Berlin 2026 highlights the ongoing value of such competitions in uncovering critical flaws in widely deployed enterprise and consumer devices. The DEVCORE team's success at the event, where researchers collectively earned $1.3 million for 47 zero-days, underscores the depth of talent in the security research community. For QNAP users, the key takeaway is clear: apply the QSA-25-45 update without delay to close this SQL injection hole before it can be exploited.