{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-62845", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "state": "PUBLISHED", "assignerShortName": "qnap", "dateReserved": "2025-10-24T02:43:45.372Z", "datePublished": "2026-03-20T16:21:51.419Z", "dateUpdated": "2026-03-25T14:02:24.019Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2026-03-20T16:21:51.419Z"}, "title": "QuRouter", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-150", "description": "CWE-150", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-445", "descriptions": [{"lang": "en", "value": "CAPEC-445"}]}], "affected": [{"vendor": "QNAP Systems Inc.", "product": "QuRouter", "versions": [{"status": "affected", "version": "2.6.x", "lessThan": "2.6.3.009", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior.\n\nWe have already fixed the vulnerability in the following version:\nQuRouter 2.6.3.009 and later", "supportingMedia": [{"type": "text/html", "base64": false, "value": "An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior.<br><br>We have already fixed the vulnerability in the following version:<br>QuRouter 2.6.3.009 and later<br>"}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-26-12"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "subIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subAvailabilityImpact": "HIGH", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.6, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:U"}}], "solutions": [{"lang": "en", "value": "We have already fixed the vulnerability in the following version:\nQuRouter 2.6.3.009 and later", "supportingMedia": [{"type": "text/html", "base64": false, "value": "We have already fixed the vulnerability in the following version:<br>QuRouter 2.6.3.009 and later<br>"}]}], "credits": [{"lang": "en", "value": "Pwn2Own 2025 - Team DDOS", "type": "finder"}], "source": {"advisory": "QSA-26-12", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:02:15.537332Z", "id": "CVE-2025-62845", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:02:24.019Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-62845", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-25T14:02:15.537332Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:02:18.992Z"}}], "cna": {"title": "QuRouter", "source": {"advisory": "QSA-26-12", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Pwn2Own 2025 - Team DDOS"}], "impacts": [{"capecId": "CAPEC-445", "descriptions": [{"lang": "en", "value": "CAPEC-445"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.6, "Automatable": "NOT_DEFINED", "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:U", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "QNAP Systems Inc.", "product": "QuRouter", "versions": [{"status": "affected", "version": "2.6.x", "lessThan": "2.6.3.009", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "We have already fixed the vulnerability in the following version:\nQuRouter 2.6.3.009 and later", "supportingMedia": [{"type": "text/html", "value": "We have already fixed the vulnerability in the following version:<br>QuRouter 2.6.3.009 and later<br>", "base64": false}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-26-12"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior.\n\nWe have already fixed the vulnerability in the following version:\nQuRouter 2.6.3.009 and later", "supportingMedia": [{"type": "text/html", "value": "An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior.<br><br>We have already fixed the vulnerability in the following version:<br>QuRouter 2.6.3.009 and later<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-150", "description": "CWE-150"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2026-03-20T16:21:51.419Z"}}}, "cveMetadata": {"cveId": "CVE-2025-62845", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:02:24.019Z", "dateReserved": "2025-10-24T02:43:45.372Z", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "datePublished": "2026-03-20T16:21:51.419Z", "assignerShortName": "qnap"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:qnap:qurouter:2.6.0.239:build_20250625:*:*:*:*:*:*", "matchCriteriaId": "6BEA7459-EA28-4A5F-ABB4-F00661760FA4", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:qurouter:2.6.0.688:build_20250818:*:*:*:*:*:*", "matchCriteriaId": "71BB01EA-6A7B-46CF-A2F7-41DDBA5A17ED", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:qurouter:2.6.1.028:build_20251001:*:*:*:*:*:*", "matchCriteriaId": "F61A82A3-3A3E-42B6-B7F6-B5FAF37CCC80", "vulnerable": true}, {"criteria": "cpe:2.3:o:qnap:qurouter:2.6.2.007:build_20251027:*:*:*:*:*:*", "matchCriteriaId": "DC28FAFD-B2EB-4DB5-B438-A439D4305A5F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior.\n\nWe have already fixed the vulnerability in the following version:\nQuRouter 2.6.3.009 and later"}, {"lang": "es", "value": "Una vulnerabilidad de neutralizaci\u00f3n incorrecta de secuencias de escape, meta o control se ha reportado que afecta a QHora. Si un atacante local obtiene una cuenta de administrador, puede entonces explotar la vulnerabilidad para causar un comportamiento inesperado.\n\nYa hemos corregido la vulnerabilidad en la siguiente versi\u00f3n:\nQuRouter 2.6.3.009 y posteriores"}], "id": "CVE-2025-62845", "lastModified": "2026-04-14T14:25:40.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.6, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}, "published": "2026-03-20T17:16:42.560", "references": [{"source": "security@qnapsecurity.com.tw", "tags": ["Vendor Advisory"], "url": "https://www.qnap.com/en/security-advisory/qsa-26-12"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-150"}], "source": "security@qnapsecurity.com.tw", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.6.x,2.6.3.009)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "qurouter", "vendor": "qnap_systems"}], "analysis": {"en": {"generated_at": "2026-04-14T20:26:19.221043+00:00", "value": {"mitigation_remediation": ["Upgrade the router firmware to version 2.6.3.009 or later to apply the vendor fix.", "Verify the current firmware build; if it matches any of the vulnerable versions, perform the upgrade immediately.", "If an upgrade cannot be applied right now, restrict local administrator accounts to trusted personnel and monitor the device for abnormal behavior."], "summary": {"action": "Patch", "impact": "Local Exploitation Causing Unexpected Behavior"}, "threat_synthesis": {"affected_systems": "QNAP Systems Inc. QuRouter firmware versions before 2.6.3.009 are vulnerable. Specifically, the builds 2.6.0.239 (build_20250625), 2.6.0.688 (build_20250818), 2.6.1.028 (build_20251001), and 2.6.2.007 (build_20251027) are listed as affected. Users should verify the firmware version on each device to determine exposure.", "description_and_impact": "An improper neutralization of escape, meta, or control sequences has been reported to affect QNAP QuRouter. The vulnerability, identified as CWE\u2011150, allows a local attacker with administrator privileges to input crafted data that bypasses sanitization, which can lead to unexpected behavior of the router. No remote code execution or denial\u2011of\u2011service capability is indicated in the supplied description.", "risk_and_exploitability": "The CVSS score of 5.6 places this issue in the moderate severity range, while an EPSS score below 1\u202f% indicates a low probability of exploitation. Since the flaw requires local administrator privileges, it poses a risk only to trusted or compromised accounts. The vendor has released a patch in firmware 2.6.3.009 and later, simplifying mitigation."}}}}, "created": "2026-03-23T09:53:17.238475+00:00", "title": "Improper Neutralization of Escape Sequences in QNAP QuRouter Enables Local Exploitation", "updated": "2026-04-15T16:45:09.820336+00:00", "vendors": ["qnap_systems", "qnap_systems$PRODUCT$qurouter"]}