Skip to main content

Qurouter CVE-2025-62845

| EUVDEUVD-2025-208899 MEDIUM
Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150)
2026-03-20 qnap
5.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.6 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.6.3.009
EUVD ID Assigned
Mar 20, 2026 - 16:30 euvd
EUVD-2025-208899
Analysis Generated
Mar 20, 2026 - 16:30 vuln.today
CVE Published
Mar 20, 2026 - 16:21 nvd
MEDIUM 5.6

DescriptionCVE.org

An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior.

We have already fixed the vulnerability in the following version: QuRouter 2.6.3.009 and later

AnalysisAI

An improper neutralization of escape, meta, or control sequences vulnerability (CWE-150) affects QNAP QHora/QuRouter devices, allowing local attackers with administrator privileges to cause unexpected behavior through injection of unfiltered control sequences. The vulnerability has been patched in QuRouter version 2.6.3.009 and later. While no CVSS score, EPSS probability, or KEV/POC data are currently published, the requirement for local administrator access significantly limits exploitation scope in typical deployments.

Technical ContextAI

This vulnerability falls under CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences), a class of defects where user-controlled input containing escape sequences, control characters, or metacharacters is not properly sanitized before being processed by an interpreter, shell, or terminal interface. The affected product is QNAP QuRouter (identified via CPE cpe:2.3:a:qnap_systems_inc.:qurouter:*:*:*:*:*:*:*:*), a network routing appliance commonly deployed in enterprise and small-business environments. The vulnerability likely resides in an administrative interface or configuration function that processes user input without adequate escaping or validation, potentially allowing injection of ANSI escape sequences, shell metacharacters, or control codes that could manipulate terminal output, bypass access controls, or trigger unintended system behavior.

RemediationAI

Upgrade QNAP QuRouter to version 2.6.3.009 or later immediately; this is the primary and only confirmed remediation path provided by the vendor. Consult https://www.qnap.com/en/security-advisory/qsa-26-12 for detailed upgrade procedures and availability of firmware images. As an interim control pending patching, restrict administrative access to the QuRouter to trusted network ranges via firewall rules, enforce strong password policies and multi-factor authentication for administrator accounts if supported, disable remote administrative access if not required, and monitor administrative activity logs for unauthorized changes or suspicious escape sequence injection attempts.

CVE-2024-50389 CRITICAL
9.5 Dec 06

A SQL injection vulnerability has been reported to affect QuRouter. Rated critical severity (CVSS 9.5), this vulnerabili

CVE-2024-48860 CRITICAL
9.5 Nov 22

An OS command injection vulnerability has been reported to affect several product versions. Rated critical severity (CVS

CVE-2024-13088 HIGH
7.8 Jun 06

CVE-2024-13088 is an improper authentication vulnerability (CWE-287) affecting QHora/QuRouter that allows local network

CVE-2024-50390 HIGH
7.7 Mar 07

A command injection vulnerability has been reported to affect QHora. Rated high severity (CVSS 7.7), this vulnerability

CVE-2025-62846 HIGH
7.3 Mar 20

An SQL injection vulnerability exists in QNAP QuRouter that allows authenticated local administrators to execute unautho

CVE-2024-48861 HIGH
7.3 Nov 22

An OS command injection vulnerability has been reported to affect several product versions. Rated high severity (CVSS 7.

CVE-2024-13087 MEDIUM
6.7 Jun 06

A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have

CVE-2024-53700 MEDIUM
5.1 Mar 07

A command injection vulnerability has been reported to affect QHora. Rated medium severity (CVSS 5.1), this vulnerabilit

CVE-2025-62844 MEDIUM
4.0 Mar 20

A weak authentication vulnerability exists in QNAP QHora/QuRouter devices that allows attackers with local network acces

CVE-2025-62843 LOW
0.9 Mar 20

An improper restriction of communication channel to intended endpoints vulnerability (CWE-923) has been identified in QN

CVE-2025-29887 HIGH
7.1 Aug 29

A command injection vulnerability has been reported to affect QuRouter 2.5.1. Rated high severity (CVSS 7.1), this vulne

Share

CVE-2025-62845 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy