Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior.
We have already fixed the vulnerability in the following version: QuRouter 2.6.3.009 and later
AnalysisAI
An improper neutralization of escape, meta, or control sequences vulnerability (CWE-150) affects QNAP QHora/QuRouter devices, allowing local attackers with administrator privileges to cause unexpected behavior through injection of unfiltered control sequences. The vulnerability has been patched in QuRouter version 2.6.3.009 and later. While no CVSS score, EPSS probability, or KEV/POC data are currently published, the requirement for local administrator access significantly limits exploitation scope in typical deployments.
Technical ContextAI
This vulnerability falls under CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences), a class of defects where user-controlled input containing escape sequences, control characters, or metacharacters is not properly sanitized before being processed by an interpreter, shell, or terminal interface. The affected product is QNAP QuRouter (identified via CPE cpe:2.3:a:qnap_systems_inc.:qurouter:*:*:*:*:*:*:*:*), a network routing appliance commonly deployed in enterprise and small-business environments. The vulnerability likely resides in an administrative interface or configuration function that processes user input without adequate escaping or validation, potentially allowing injection of ANSI escape sequences, shell metacharacters, or control codes that could manipulate terminal output, bypass access controls, or trigger unintended system behavior.
RemediationAI
Upgrade QNAP QuRouter to version 2.6.3.009 or later immediately; this is the primary and only confirmed remediation path provided by the vendor. Consult https://www.qnap.com/en/security-advisory/qsa-26-12 for detailed upgrade procedures and availability of firmware images. As an interim control pending patching, restrict administrative access to the QuRouter to trusted network ranges via firewall rules, enforce strong password policies and multi-factor authentication for administrator accounts if supported, disable remote administrative access if not required, and monitor administrative activity logs for unauthorized changes or suspicious escape sequence injection attempts.
A SQL injection vulnerability has been reported to affect QuRouter. Rated critical severity (CVSS 9.5), this vulnerabili
An OS command injection vulnerability has been reported to affect several product versions. Rated critical severity (CVS
CVE-2024-13088 is an improper authentication vulnerability (CWE-287) affecting QHora/QuRouter that allows local network
A command injection vulnerability has been reported to affect QHora. Rated high severity (CVSS 7.7), this vulnerability
An SQL injection vulnerability exists in QNAP QuRouter that allows authenticated local administrators to execute unautho
An OS command injection vulnerability has been reported to affect several product versions. Rated high severity (CVSS 7.
A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have
A command injection vulnerability has been reported to affect QHora. Rated medium severity (CVSS 5.1), this vulnerabilit
A weak authentication vulnerability exists in QNAP QHora/QuRouter devices that allows attackers with local network acces
An improper restriction of communication channel to intended endpoints vulnerability (CWE-923) has been identified in QN
A command injection vulnerability has been reported to affect QuRouter 2.5.1. Rated high severity (CVSS 7.1), this vulne
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208899