EUVD-2025-208897
CVSS Vector
CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U
Lifecycle Timeline
3Description
A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later
Analysis
A weak authentication vulnerability exists in QNAP QHora/QuRouter devices that allows attackers with local network access to bypass authentication mechanisms and disclose sensitive information. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires network-level access but no special privileges. While no CVSS score or EPSS data is publicly available, the classification as CWE-1390 (Weak Authentication) and the emphasis on local network access indicates this is a network-adjacent threat with moderate real-world risk, particularly in environments where untrusted devices can connect to the local network.
Technical Context
This vulnerability is rooted in CWE-1390 (Weak Authentication), which encompasses failures in authentication mechanisms such as insufficient credential validation, predictable authentication tokens, or logic flaws in access control. In the context of QNAP QuRouter (CPE: cpe:2.3:a:qnap_systems_inc.:qurouter:*:*:*:*:*:*:*:*), the affected product is a network routing appliance that manages network traffic and connectivity. The weakness appears to stem from inadequate authentication enforcement at the application or API level, allowing attackers on the same network segment to extract sensitive configuration or operational data without proper credentials. The fix in version 2.6.2.007 and later suggests the vendor implemented stronger authentication mechanisms, likely including improved token handling, stricter credential validation, or enhanced access control enforcement.
Affected Products
QNAP QuRouter devices running versions prior to 2.6.2.007 are affected, as confirmed by CPE cpe:2.3:a:qnap_systems_inc.:qurouter:*:*:*:*:*:*:*:*. The vendor security advisory QSA-26-12 published on QNAP's security advisory page confirms that QuRouter 2.6.2.007 and all subsequent versions contain the fix. Organizations running any QuRouter firmware version before 2.6.2.007 should consider their deployment at risk, particularly if the device is deployed in environments with untrusted network participants.
Remediation
Upgrade QNAP QuRouter to firmware version 2.6.2.007 or later immediately. Visit the official QNAP security advisory at https://www.qnap.com/en/security-advisory/qsa-26-12 for patch download links and detailed upgrade instructions. As an interim control, restrict local network access to the QuRouter's management interface by implementing network segmentation—isolate the device on a dedicated management VLAN with access only from authorized administrative systems and block untrusted devices from reaching the management ports. Additionally, disable any unnecessary services or APIs on the QuRouter and ensure strong, unique administrative credentials are in use. After patching, verify the update completed successfully and monitor device logs for any exploitation attempts.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today