Skip to main content

Router Qn I 470 EUVDEUVD-2026-24084

| CVE-2026-41039 HIGH
Missing Authentication for Critical Function (CWE-306)
2026-04-21 CERT-In GHSA-v758-4p42-wqcm
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 21, 2026 - 16:22 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 13:33 vuln.today
CVSS changed
Apr 21, 2026 - 11:22 NVD
8.7 (HIGH)
EUVD ID Assigned
Apr 21, 2026 - 11:00 euvd
EUVD-2026-24084
Analysis Generated
Apr 21, 2026 - 11:00 vuln.today
CVE Published
Apr 21, 2026 - 10:28 nvd
HIGH 8.7

DescriptionCVE.org

This vulnerability exists in Quantum Networks router due to improper access control and insecure default configuration in the web-based management interface. An unauthenticated attacker could exploit this vulnerability by accessing exposed API endpoints on the targeted device.

Successful exploitation of this vulnerability could allow the attacker to access sensitive information, including internal endpoints, scripts and directories on the targeted device.

AnalysisAI

Information disclosure in Quantum Networks Router QN-I-470 version 6.1.1.B1 allows unauthenticated remote attackers to access sensitive internal data including API endpoints, scripts, and directories through exposed web management interface. Vulnerability stems from improper access control and insecure default configuration (CWE-306). CVSS 8.7 reflects network-accessible, low-complexity attack requiring no authentication or user interaction. No public exploit code identified at time of analysis, though the attack surface (exposed API endpoints) suggests straightforward exploitation. Reported by CERT-In (India national CERT), indicating potential regional targeting or discovery during incident response.

Technical ContextAI

This vulnerability affects the web-based management interface of Quantum Networks Router QN-I-470 firmware version 6.1.1.B1 (CPE: cpe:2.3:a:quantum_networks:router_qn-i-470:*:*:*:*:*:*:*:*). The root cause is CWE-306 (Missing Authentication for Critical Function), meaning API endpoints in the administrative interface lack proper authentication checks and are accessible without credentials. The CVSS 4.0 vector (AV:N/AC:L/PR:N) indicates these endpoints are reachable over the network with low attack complexity and no required privileges. CERT-In classification as Authentication Bypass confirms that security controls intended to protect administrative functions are either absent or bypassable. Insecure default configuration suggests the device ships with these API endpoints exposed, rather than requiring opt-in or explicit configuration. This is a common vulnerability class in embedded device web interfaces where developers expose internal APIs for legitimate administrative functions but fail to enforce authentication consistently across all endpoints.

RemediationAI

Organizations using Quantum Networks Router QN-I-470 should immediately consult CERT-In advisory CIVN-2026-0200 at https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0200 for vendor-supplied firmware updates addressing this vulnerability. No specific patch version is confirmed in available data at time of analysis. Until patching is feasible, implement network-level access controls to restrict web management interface access: configure firewall rules to allow administrative access only from trusted management networks or specific IP addresses, disable external (WAN-side) access to the web interface if not operationally required, and implement VPN-only access for remote administration. If the router supports it, disable unused API endpoints or the web interface entirely if command-line management is viable. Monitor access logs for unexpected requests to administrative endpoints from untrusted sources. Note that network-based compensating controls require ongoing maintenance and may be bypassed if the router is directly internet-facing or if internal networks are compromised. These are temporary mitigations with operational overhead; vendor patching remains the primary remediation path.

Share

EUVD-2026-24084 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy