Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
This vulnerability exists in Quantum Networks router due to improper access control and insecure default configuration in the web-based management interface. An unauthenticated attacker could exploit this vulnerability by accessing exposed API endpoints on the targeted device.
Successful exploitation of this vulnerability could allow the attacker to access sensitive information, including internal endpoints, scripts and directories on the targeted device.
AnalysisAI
Information disclosure in Quantum Networks Router QN-I-470 version 6.1.1.B1 allows unauthenticated remote attackers to access sensitive internal data including API endpoints, scripts, and directories through exposed web management interface. Vulnerability stems from improper access control and insecure default configuration (CWE-306). CVSS 8.7 reflects network-accessible, low-complexity attack requiring no authentication or user interaction. No public exploit code identified at time of analysis, though the attack surface (exposed API endpoints) suggests straightforward exploitation. Reported by CERT-In (India national CERT), indicating potential regional targeting or discovery during incident response.
Technical ContextAI
This vulnerability affects the web-based management interface of Quantum Networks Router QN-I-470 firmware version 6.1.1.B1 (CPE: cpe:2.3:a:quantum_networks:router_qn-i-470:*:*:*:*:*:*:*:*). The root cause is CWE-306 (Missing Authentication for Critical Function), meaning API endpoints in the administrative interface lack proper authentication checks and are accessible without credentials. The CVSS 4.0 vector (AV:N/AC:L/PR:N) indicates these endpoints are reachable over the network with low attack complexity and no required privileges. CERT-In classification as Authentication Bypass confirms that security controls intended to protect administrative functions are either absent or bypassable. Insecure default configuration suggests the device ships with these API endpoints exposed, rather than requiring opt-in or explicit configuration. This is a common vulnerability class in embedded device web interfaces where developers expose internal APIs for legitimate administrative functions but fail to enforce authentication consistently across all endpoints.
RemediationAI
Organizations using Quantum Networks Router QN-I-470 should immediately consult CERT-In advisory CIVN-2026-0200 at https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0200 for vendor-supplied firmware updates addressing this vulnerability. No specific patch version is confirmed in available data at time of analysis. Until patching is feasible, implement network-level access controls to restrict web management interface access: configure firewall rules to allow administrative access only from trusted management networks or specific IP addresses, disable external (WAN-side) access to the web interface if not operationally required, and implement VPN-only access for remote administration. If the router supports it, disable unused API endpoints or the web interface entirely if command-line management is viable. Monitor access logs for unexpected requests to administrative endpoints from untrusted sources. Note that network-based compensating controls require ongoing maintenance and may be bypassed if the router is directly internet-facing or if internal networks are compromised. These are temporary mitigations with operational overhead; vendor patching remains the primary remediation path.
More in Router Qn I 470
View allRemote code execution in Quantum Networks router QN-I-470 allows authenticated attackers to execute arbitrary OS command
Remote code execution with root privileges in Quantum Networks router QN-I-470 version 6.1.1.B1 allows adjacent network
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24084
GHSA-v758-4p42-wqcm