Critical Remote Code Execution via SQL Injection in QNAP TS‑453E (CVE‑2025‑62847) Threatens Network‑Attached Storage

Critical Remote Code Execution via SQL Injection in QNAP TS‑453E (CVE‑2025‑62847) Threatens Network‑Attached Storage

What It Is – A newly disclosed zero‑day (ZDI‑26‑200) in QNAP’s TS‑453E NAS allows an attacker to inject malicious SQL through the nvrlog_event_add endpoint, bypassing authentication and executing arbitrary code with admin privileges.

Exploitability – The vulnerability is network‑adjacent; proof‑of‑concept code was demonstrated at Pwn2Own. CVSS 8.0 (AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) indicates a high likelihood of exploitation in the wild.

Affected Products – QNAP TS‑453E (all firmware versions prior to the March 2026 security update).

TPRM Impact –

• Compromise of a storage appliance can expose confidential client data, backups, and proprietary code.
• As a common component in supply‑chain and MSP environments, a breach can cascade to downstream partners.

Recommended Actions –

• Verify firmware version on all QNAP TS‑453E devices; upgrade immediately to the patch released in QSA‑25‑45.
• Conduct a network scan for the vulnerable nvrlog_event_add endpoint and block external access via firewall rules.
• Review logs for anomalous msg parameters and any unexpected admin‑level activity.
• Re‑assess third‑party risk contracts that include QNAP storage as a critical service.

Source: Zero Day Initiative Advisory ZDI‑26‑200