CVE-2025-62846 in QuRouter
Summary
by MITRE • 03/20/2026
An SQL injection vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to execute unauthorized code or commands.
We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/27/2026
The reported vulnerability CVE-2025-62846 represents a critical SQL injection flaw within the QHora application that poses significant security risks to organizations relying on this system. This vulnerability stems from inadequate input validation and sanitization within the application's database interaction mechanisms, creating an exploitable condition that allows malicious actors to manipulate database queries through crafted input parameters. The vulnerability specifically affects the QuRouter software suite, with the affected version being QHora prior to QuRouter 2.6.2.007, indicating a targeted issue within the database layer of the application's architecture.
The technical exploitation of this vulnerability requires a local attacker to first obtain administrative privileges within the system, which creates a multi-layered attack vector that combines both privilege escalation and injection techniques. Once administrative access is achieved, the attacker can leverage the SQL injection flaw to execute arbitrary database commands that may escalate privileges further or extract sensitive information from the underlying database. This vulnerability aligns with CWE-89 which specifically addresses SQL injection weaknesses in software applications, where improper handling of user-supplied data in database queries creates opportunities for malicious input to alter the intended execution flow of database operations. The attack pattern follows established methodologies described in the ATT&CK framework under T1078 for Valid Accounts and T1041 for Exfiltration, as the compromised administrative credentials enable further exploitation and data extraction.
The operational impact of this vulnerability extends beyond simple data compromise to potentially enable full system takeover through unauthorized code execution capabilities. Organizations utilizing affected versions of QuRouter face risks including unauthorized data access, data modification, and potential system compromise that could lead to broader network infiltration. The local privilege requirement for initial exploitation suggests that the vulnerability may be more difficult to exploit remotely, but the combination of local access and SQL injection creates a dangerous combination that could be leveraged by insider threats or attackers who have already established a foothold within the network environment. The remediation through QuRouter 2.6.2.007 demonstrates that the vendor has addressed the root cause through proper input validation and parameterized query implementation, which are fundamental security controls recommended by both NIST and OWASP for preventing SQL injection attacks.
Organizations should prioritize immediate deployment of QuRouter 2.6.2.007 across all affected systems to mitigate the identified risk. The vulnerability assessment should include verification of administrative account security practices and implementation of additional monitoring for suspicious database access patterns. Security teams should also consider implementing network segmentation and database access controls to limit the potential impact of credential compromise. The fix addresses the core SQL injection vulnerability through proper input sanitization and parameterized database queries, which aligns with industry best practices outlined in the OWASP Top Ten and NIST Cybersecurity Framework. Continued monitoring of system logs for unauthorized administrative access attempts and database query anomalies remains essential for detecting potential exploitation attempts.