Skip to main content

Router Qn I 470 CVE-2026-41037

| EUVDEUVD-2026-24079 HIGH
OS Command Injection (CWE-78)
2026-04-21 CERT-In GHSA-whhc-f8fh-m5cr
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

7
Analysis Updated
Apr 21, 2026 - 11:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 21, 2026 - 11:22 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 10:27 vuln.today
CVSS changed
Apr 21, 2026 - 10:22 NVD
8.7 (HIGH)
EUVD ID Assigned
Apr 21, 2026 - 10:15 euvd
EUVD-2026-24079
Analysis Generated
Apr 21, 2026 - 10:15 vuln.today
CVE Published
Apr 21, 2026 - 10:04 nvd
HIGH 8.7

DescriptionCVE.org

This vulnerability exists in Quantum Networks router due to inadequate sanitization of user-supplied input in the management CLI interface. An authenticated remote attacker could exploit this vulnerability by injecting arbitrary OS commands on the targeted device.

Successful exploitation of this vulnerability could allow the attacker to perform remote code execution with root privileges on the targeted device.

AnalysisAI

Remote code execution with root privileges in Quantum Networks router QN-I-470 version 6.1.1.B1 allows adjacent network attackers to execute arbitrary OS commands through the management CLI interface via command injection. The vulnerability requires no authentication (CVSS PR:N) and exploits inadequate input sanitization (CWE-78). Adjacent network access (AV:A) limits attack surface to local network segments. No active exploitation (CISA KEV) or public exploit code identified at time of analysis, though EPSS data unavailable to assess real-world exploitation probability.

Technical ContextAI

This is an OS command injection vulnerability (CWE-78) affecting the management Command Line Interface (CLI) of Quantum Networks router QN-I-470 firmware version 6.1.1.B1 (CPE: cpe:2.3:a:quantum_networks:router_qn-i-470:*:*:*:*:*:*:*:*). Command injection occurs when applications pass unsanitized user input directly to system shell interpreters, allowing attackers to append malicious commands using shell metacharacters (semicolons, pipes, backticks). The CLI interface - typically accessed via SSH, Telnet, or serial console - fails to properly validate input before passing it to underlying OS command execution functions. With root-level execution context typical in network device management interfaces, successful injection bypasses all OS-level access controls, granting complete device control. The CVSS 4.0 vector confirms Adjacent network attack vector (AV:A), meaning the attacker must be on the same broadcast domain or VLAN as the router's management interface, which reduces exposure compared to internet-facing vulnerabilities but remains critical in enterprise environments where internal network segmentation may be weak.

RemediationAI

Consult CERT-In advisory CIVN-2026-0200 at https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0200 for vendor-recommended fixes - no patched firmware version independently confirmed from available data sources. As compensating controls until patch deployment: restrict management CLI access using access control lists (ACLs) to permit only known administrator IP addresses, eliminating adjacent network attack surface but requiring maintenance of administrator IP whitelist; deploy management interfaces on isolated VLANs with strict firewall rules preventing lateral movement from user VLANs, reducing but not eliminating risk from compromised adjacent hosts; disable unused management protocols (Telnet if SSH available, HTTP if HTTPS available) to reduce attack surface, noting this does not address the underlying injection flaw; implement network access control (802.1X) on management VLANs to prevent unauthorized device connections, adding authentication layer but increasing operational complexity. Monitor CLI access logs for unusual command patterns or failures. Contact Quantum Networks support directly for patch timeline if not specified in CERT-In advisory.

Share

CVE-2026-41037 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy