CVE-2025-62846 is an SQL injection vulnerability categorized under CWE-89 that affects QNAP Systems Inc.'s QuRouter product, specifically versions 2.6.x before 2.6.2.007. The vulnerability arises from insufficient sanitization of user-supplied input in SQL queries within the QuRouter management interface or backend, allowing a local attacker with administrator privileges to inject malicious SQL code. This injection can lead to unauthorized execution of commands or code on the device, potentially compromising system integrity and confidentiality. The vulnerability requires local access with high privileges (administrator) but does not require additional authentication or user interaction beyond that. The CVSS 4.0 base score is 7.3, reflecting high severity due to the combination of local attack vector, low attack complexity, and high impact on confidentiality, integrity, and availability. The vulnerability was reserved in October 2025 and published in March 2026. While no public exploits are known, the risk remains significant given the potential for privilege escalation and system compromise. The vendor has released a patch in QuRouter version 2.6.2.007 and later to remediate the issue by properly sanitizing inputs and securing SQL query handling.

The impact of CVE-2025-62846 is substantial for organizations using vulnerable QuRouter versions. An attacker with administrator access can exploit the SQL injection to execute arbitrary commands, potentially leading to full system compromise, unauthorized data access, or disruption of network routing services. This could result in data breaches, loss of network availability, and lateral movement within internal networks. Given QuRouter's role in managing network traffic, exploitation could also facilitate interception or manipulation of sensitive communications. Organizations relying on QNAP QuRouter for critical infrastructure or enterprise network management face increased risk of operational disruption and data loss. The vulnerability's requirement for local admin access limits remote exploitation but does not eliminate risk, especially in environments with weak internal access controls or compromised administrator credentials.

To mitigate CVE-2025-62846, organizations should immediately upgrade QuRouter to version 2.6.2.007 or later, where the vulnerability is patched. Beyond patching, restrict administrator access to trusted personnel and enforce strong authentication mechanisms, such as multi-factor authentication, to reduce the risk of credential compromise. Implement network segmentation to limit local access to QuRouter management interfaces and monitor administrative activities for suspicious behavior. Regularly audit and rotate administrator credentials and ensure that logging and alerting are enabled to detect potential exploitation attempts. Additionally, conduct security assessments and penetration testing focused on SQL injection vulnerabilities in custom or third-party network management tools. Finally, maintain an up-to-date inventory of network devices and their firmware versions to ensure timely patch management.