CVE-2025-62846 is an SQL injection vulnerability categorized under CWE-89, impacting QNAP Systems Inc.'s QuRouter product, specifically versions 2.6.x. The vulnerability arises from insufficient sanitization of SQL inputs within the device's management interface or backend, allowing a local attacker with administrator privileges to inject malicious SQL commands. Exploiting this flaw enables unauthorized code or command execution, potentially leading to full system compromise, data leakage, or disruption of network services. The vulnerability requires local access with elevated privileges but does not require additional authentication or user interaction. The CVSS 4.0 base score is 7.3 (high), reflecting the high impact on confidentiality, integrity, and availability, combined with low attack complexity and no need for user interaction. The vendor has addressed this issue in QuRouter version 2.6.2.007 and later. No public exploits have been reported to date, but the vulnerability poses a significant risk in environments where attackers can gain administrative access to the device. Given the critical role of QuRouter devices in network infrastructure, exploitation could facilitate lateral movement, data exfiltration, or persistent access within targeted networks.

The impact of CVE-2025-62846 is substantial for organizations deploying affected QuRouter versions. Successful exploitation can lead to unauthorized code execution, compromising the confidentiality, integrity, and availability of the device and potentially the broader network. Attackers with admin access could manipulate routing configurations, intercept or redirect traffic, deploy malware, or create persistent backdoors. This could disrupt business operations, lead to data breaches, or facilitate further attacks within the network. The requirement for local admin access limits remote exploitation but does not eliminate risk, as attackers often seek to escalate privileges or gain local access through other means. Organizations relying on QuRouter devices for critical network functions are at risk of operational disruption and data compromise if the vulnerability is not remediated promptly.

To mitigate CVE-2025-62846, organizations should immediately upgrade all affected QuRouter devices to version 2.6.2.007 or later, where the vulnerability has been patched. Beyond patching, restrict administrative access to trusted personnel and secure local access points to prevent unauthorized physical or network-based admin access. Implement network segmentation to isolate management interfaces from general user networks, reducing the attack surface. Enable and monitor detailed logging on QuRouter devices to detect unusual administrative activities that could indicate exploitation attempts. Regularly audit user accounts and privileges to ensure that only necessary personnel have administrative rights. Employ multi-factor authentication (MFA) for administrative access if supported by the device. Additionally, conduct periodic vulnerability assessments and penetration testing focused on network infrastructure devices to identify and remediate similar risks proactively.