ZDI 2026-03-30

ZDI-26-240: (Pwn2Own) QNAP QHora-322 qvpn_db_mgr role_type Improper Neutralization of Escape Sequences Authentication Bypass Vulnerability

CVE-2025-62845

Machine-generated analysis · WAYSCloud LLM

The advisory notes that authentication is required to exploit the vulnerability, yet the authentication mechanism can be bypassed, which may indicate a flaw in how role_type input is validated during the authentication process.

Context

The affected product is the QNAP QHora-322 router, specifically involving the qvpn_db_mgr component. The vulnerability is an improper neutralization of escape sequences leading to an authentication bypass. Worth noting is that the advisory explicitly states authentication is required despite the bypass capability. The CVSS score is rated 6.3, indicating a medium severity impact.

Operator considerations

Check: Identify QNAP QHora-322 devices running vulnerable versions of the qvpn_db_mgr component.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to bypass authentication on affected QNAP QHora-322 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 6.3. The following CVEs are assigned: CVE-2025-62845.

Read the full advisory on ZDI →