ZDI 2026-03-30

ZDI-26-241: (Pwn2Own) QNAP QHora-322 qvpn_db_mgr username SQL Injection Remote Code Execution Vulnerability

CVE-2025-62846

Machine-generated analysis · WAYSCloud LLM

The vulnerability involves a SQL injection in the qvpn_db_mgr component that can be exploited remotely after bypassing authentication.

Context

The QNAP QHora-322 router is affected, specifically the qvpn_db_mgr component. The advisory describes a SQL injection vulnerability that leads to remote code execution. Authentication is required but can be bypassed, according to the advisory. The ZDI assigned a CVSS score of 8.8, indicating high severity based on their metrics.

Operator considerations

Check: Inventory QNAP QHora-322 devices running vulnerable firmware versions.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to execute arbitrary code on affected installations of QNAP QHora-322 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2025-62846.

Read the full advisory on ZDI →