Skip to main content

Qurouter EUVDEUVD-2025-208897

| CVE-2025-62844 MEDIUM
Weak Authentication (CWE-1390)
2026-03-20 qnap
4.0
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.0 MEDIUM
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Physical
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
2.6.2.007
EUVD ID Assigned
Mar 20, 2026 - 16:30 euvd
EUVD-2025-208897
Analysis Generated
Mar 20, 2026 - 16:30 vuln.today
CVE Published
Mar 20, 2026 - 16:21 nvd
MEDIUM 4.0

DescriptionCVE.org

A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information.

We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later

AnalysisAI

A weak authentication vulnerability exists in QNAP QHora/QuRouter devices that allows attackers with local network access to bypass authentication mechanisms and disclose sensitive information. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires network-level access but no special privileges. While no CVSS score or EPSS data is publicly available, the classification as CWE-1390 (Weak Authentication) and the emphasis on local network access indicates this is a network-adjacent threat with moderate real-world risk, particularly in environments where untrusted devices can connect to the local network.

Technical ContextAI

This vulnerability is rooted in CWE-1390 (Weak Authentication), which encompasses failures in authentication mechanisms such as insufficient credential validation, predictable authentication tokens, or logic flaws in access control. In the context of QNAP QuRouter (CPE: cpe:2.3:a:qnap_systems_inc.:qurouter:*:*:*:*:*:*:*:*), the affected product is a network routing appliance that manages network traffic and connectivity. The weakness appears to stem from inadequate authentication enforcement at the application or API level, allowing attackers on the same network segment to extract sensitive configuration or operational data without proper credentials. The fix in version 2.6.2.007 and later suggests the vendor implemented stronger authentication mechanisms, likely including improved token handling, stricter credential validation, or enhanced access control enforcement.

RemediationAI

Upgrade QNAP QuRouter to firmware version 2.6.2.007 or later immediately. Visit the official QNAP security advisory at https://www.qnap.com/en/security-advisory/qsa-26-12 for patch download links and detailed upgrade instructions. As an interim control, restrict local network access to the QuRouter's management interface by implementing network segmentation—isolate the device on a dedicated management VLAN with access only from authorized administrative systems and block untrusted devices from reaching the management ports. Additionally, disable any unnecessary services or APIs on the QuRouter and ensure strong, unique administrative credentials are in use. After patching, verify the update completed successfully and monitor device logs for any exploitation attempts.

CVE-2024-50389 CRITICAL
9.5 Dec 06

A SQL injection vulnerability has been reported to affect QuRouter. Rated critical severity (CVSS 9.5), this vulnerabili

CVE-2024-48860 CRITICAL
9.5 Nov 22

An OS command injection vulnerability has been reported to affect several product versions. Rated critical severity (CVS

CVE-2024-13088 HIGH
7.8 Jun 06

CVE-2024-13088 is an improper authentication vulnerability (CWE-287) affecting QHora/QuRouter that allows local network

CVE-2024-50390 HIGH
7.7 Mar 07

A command injection vulnerability has been reported to affect QHora. Rated high severity (CVSS 7.7), this vulnerability

CVE-2025-62846 HIGH
7.3 Mar 20

An SQL injection vulnerability exists in QNAP QuRouter that allows authenticated local administrators to execute unautho

CVE-2024-48861 HIGH
7.3 Nov 22

An OS command injection vulnerability has been reported to affect several product versions. Rated high severity (CVSS 7.

CVE-2024-13087 MEDIUM
6.7 Jun 06

A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have

CVE-2025-62845 MEDIUM
5.6 Mar 20

An improper neutralization of escape, meta, or control sequences vulnerability (CWE-150) affects QNAP QHora/QuRouter dev

CVE-2024-53700 MEDIUM
5.1 Mar 07

A command injection vulnerability has been reported to affect QHora. Rated medium severity (CVSS 5.1), this vulnerabilit

CVE-2025-62843 LOW
0.9 Mar 20

An improper restriction of communication channel to intended endpoints vulnerability (CWE-923) has been identified in QN

CVE-2025-29887 HIGH
7.1 Aug 29

A command injection vulnerability has been reported to affect QuRouter 2.5.1. Rated high severity (CVSS 7.1), this vulne

Share

EUVD-2025-208897 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy