EUVD-2025-208899

| CVE-2025-62845 MEDIUM
2026-03-20 qnap
5.6
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:U
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None

Lifecycle Timeline

3
EUVD ID Assigned
Mar 20, 2026 - 16:30 euvd
EUVD-2025-208899
Analysis Generated
Mar 20, 2026 - 16:30 vuln.today
CVE Published
Mar 20, 2026 - 16:21 nvd
MEDIUM 5.6

Tags

Privilege Escalation Qurouter

Description

An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior. We have already fixed the vulnerability in the following version: QuRouter 2.6.3.009 and later

Analysis

An improper neutralization of escape, meta, or control sequences vulnerability (CWE-150) affects QNAP QHora/QuRouter devices, allowing local attackers with administrator privileges to cause unexpected behavior through injection of unfiltered control sequences. The vulnerability has been patched in QuRouter version 2.6.3.009 and later. While no CVSS score, EPSS probability, or KEV/POC data are currently published, the requirement for local administrator access significantly limits exploitation scope in typical deployments.

Technical Context

This vulnerability falls under CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences), a class of defects where user-controlled input containing escape sequences, control characters, or metacharacters is not properly sanitized before being processed by an interpreter, shell, or terminal interface. The affected product is QNAP QuRouter (identified via CPE cpe:2.3:a:qnap_systems_inc.:qurouter:*:*:*:*:*:*:*:*), a network routing appliance commonly deployed in enterprise and small-business environments. The vulnerability likely resides in an administrative interface or configuration function that processes user input without adequate escaping or validation, potentially allowing injection of ANSI escape sequences, shell metacharacters, or control codes that could manipulate terminal output, bypass access controls, or trigger unintended system behavior.

Affected Products

QNAP QuRouter versions prior to 2.6.3.009 are affected, as confirmed by vendor advisory and CPE designation (cpe:2.3:a:qnap_systems_inc.:qurouter:*:*:*:*:*:*:*:*). All versions below 2.6.3.009 are in scope. The vulnerability was reported by QNAP Systems Inc. and is documented in their security advisory at https://www.qnap.com/en/security-advisory/qsa-26-12.

Remediation

Upgrade QNAP QuRouter to version 2.6.3.009 or later immediately; this is the primary and only confirmed remediation path provided by the vendor. Consult https://www.qnap.com/en/security-advisory/qsa-26-12 for detailed upgrade procedures and availability of firmware images. As an interim control pending patching, restrict administrative access to the QuRouter to trusted network ranges via firewall rules, enforce strong password policies and multi-factor authentication for administrator accounts if supported, disable remote administrative access if not required, and monitor administrative activity logs for unauthorized changes or suspicious escape sequence injection attempts.

Priority Score

28
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +28
POC: 0

Share

EUVD-2025-208899 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy