Skip to main content

Qurouter EUVDEUVD-2024-54652

| CVE-2024-13088 HIGH
Improper Authentication (CWE-287)
2025-06-06 security@qnapsecurity.com.tw
7.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:45 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
2.5.0.140
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2024-54652
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
CVE Published
Jun 06, 2025 - 16:15 nvd
HIGH 7.8

DescriptionCVE.org

An improper authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to compromise the security of the system.

We have already fixed the vulnerability in the following version: QuRouter 2.5.0.140 and later

AnalysisAI

CVE-2024-13088 is an improper authentication vulnerability (CWE-287) affecting QHora/QuRouter that allows local network attackers with low privileges to compromise system confidentiality, integrity, and availability. The vulnerability requires local network access and low privileges but no user interaction, making it a significant risk for networked environments. Patch versions QuRouter 2.5.0.140 and later are available, though KEV/EPSS data and active exploitation status are not confirmed in the provided intelligence.

Technical ContextAI

The vulnerability stems from improper authentication mechanisms in QHora/QuRouter network devices (CWE-287 - Improper Authentication). This class of weakness indicates the device fails to properly verify the identity of users, processes, or systems before granting access to resources. Based on the CVSS vector (AV:L/AC:L/PR:L), the authentication bypass occurs at the local network level, suggesting the device's management interface, inter-process communication, or local service authentication is flawed. The low attack complexity indicates the exploitation method is straightforward and does not require special conditions or techniques. QHora appears to be a networking product line with QuRouter as a specific model variant.

RemediationAI

Upgrade QuRouter firmware to version 2.5.0.140 or later; priority: Critical; details: Vendor has confirmed the vulnerability is fixed in QuRouter 2.5.0.140 and subsequent releases. Organizations should prioritize deployment of this patch or later versions. Workaround/Mitigation: Network Segmentation; details: Restrict local network access to QuRouter devices through network access control lists (ACLs), firewall rules, or VLAN segmentation. Limit access to management interfaces to trusted administrative networks only. Workaround/Mitigation: Privilege Access Management; details: Enforce strong authentication for any local network accounts with elevated privileges. Implement network monitoring to detect unauthorized authentication attempts or unusual access patterns. Detection: Monitor logs for suspicious authentication events on QuRouter management interfaces or local services; details: Enable detailed logging and review authentication failures, privilege escalation attempts, and configuration changes.

CVE-2024-50389 CRITICAL
9.5 Dec 06

A SQL injection vulnerability has been reported to affect QuRouter. Rated critical severity (CVSS 9.5), this vulnerabili

CVE-2024-48860 CRITICAL
9.5 Nov 22

An OS command injection vulnerability has been reported to affect several product versions. Rated critical severity (CVS

CVE-2024-50390 HIGH
7.7 Mar 07

A command injection vulnerability has been reported to affect QHora. Rated high severity (CVSS 7.7), this vulnerability

CVE-2025-62846 HIGH
7.3 Mar 20

An SQL injection vulnerability exists in QNAP QuRouter that allows authenticated local administrators to execute unautho

CVE-2024-48861 HIGH
7.3 Nov 22

An OS command injection vulnerability has been reported to affect several product versions. Rated high severity (CVSS 7.

CVE-2024-13087 MEDIUM
6.7 Jun 06

A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have

CVE-2025-62845 MEDIUM
5.6 Mar 20

An improper neutralization of escape, meta, or control sequences vulnerability (CWE-150) affects QNAP QHora/QuRouter dev

CVE-2024-53700 MEDIUM
5.1 Mar 07

A command injection vulnerability has been reported to affect QHora. Rated medium severity (CVSS 5.1), this vulnerabilit

CVE-2025-62844 MEDIUM
4.0 Mar 20

A weak authentication vulnerability exists in QNAP QHora/QuRouter devices that allows attackers with local network acces

CVE-2025-62843 LOW
0.9 Mar 20

An improper restriction of communication channel to intended endpoints vulnerability (CWE-923) has been identified in QN

CVE-2025-29887 HIGH
7.1 Aug 29

A command injection vulnerability has been reported to affect QuRouter 2.5.1. Rated high severity (CVSS 7.1), this vulne

Share

EUVD-2024-54652 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy