Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
An improper authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to compromise the security of the system.
We have already fixed the vulnerability in the following version: QuRouter 2.5.0.140 and later
AnalysisAI
CVE-2024-13088 is an improper authentication vulnerability (CWE-287) affecting QHora/QuRouter that allows local network attackers with low privileges to compromise system confidentiality, integrity, and availability. The vulnerability requires local network access and low privileges but no user interaction, making it a significant risk for networked environments. Patch versions QuRouter 2.5.0.140 and later are available, though KEV/EPSS data and active exploitation status are not confirmed in the provided intelligence.
Technical ContextAI
The vulnerability stems from improper authentication mechanisms in QHora/QuRouter network devices (CWE-287 - Improper Authentication). This class of weakness indicates the device fails to properly verify the identity of users, processes, or systems before granting access to resources. Based on the CVSS vector (AV:L/AC:L/PR:L), the authentication bypass occurs at the local network level, suggesting the device's management interface, inter-process communication, or local service authentication is flawed. The low attack complexity indicates the exploitation method is straightforward and does not require special conditions or techniques. QHora appears to be a networking product line with QuRouter as a specific model variant.
RemediationAI
Upgrade QuRouter firmware to version 2.5.0.140 or later; priority: Critical; details: Vendor has confirmed the vulnerability is fixed in QuRouter 2.5.0.140 and subsequent releases. Organizations should prioritize deployment of this patch or later versions. Workaround/Mitigation: Network Segmentation; details: Restrict local network access to QuRouter devices through network access control lists (ACLs), firewall rules, or VLAN segmentation. Limit access to management interfaces to trusted administrative networks only. Workaround/Mitigation: Privilege Access Management; details: Enforce strong authentication for any local network accounts with elevated privileges. Implement network monitoring to detect unauthorized authentication attempts or unusual access patterns. Detection: Monitor logs for suspicious authentication events on QuRouter management interfaces or local services; details: Enable detailed logging and review authentication failures, privilege escalation attempts, and configuration changes.
A SQL injection vulnerability has been reported to affect QuRouter. Rated critical severity (CVSS 9.5), this vulnerabili
An OS command injection vulnerability has been reported to affect several product versions. Rated critical severity (CVS
A command injection vulnerability has been reported to affect QHora. Rated high severity (CVSS 7.7), this vulnerability
An SQL injection vulnerability exists in QNAP QuRouter that allows authenticated local administrators to execute unautho
An OS command injection vulnerability has been reported to affect several product versions. Rated high severity (CVSS 7.
A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have
An improper neutralization of escape, meta, or control sequences vulnerability (CWE-150) affects QNAP QHora/QuRouter dev
A command injection vulnerability has been reported to affect QHora. Rated medium severity (CVSS 5.1), this vulnerabilit
A weak authentication vulnerability exists in QNAP QHora/QuRouter devices that allows attackers with local network acces
An improper restriction of communication channel to intended endpoints vulnerability (CWE-923) has been identified in QN
A command injection vulnerability has been reported to affect QuRouter 2.5.1. Rated high severity (CVSS 7.1), this vulne
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2024-54652