Skip to main content

Qurouter

12 CVEs product

Monthly

CVE-2025-62843 LOW PATCH Monitor

An improper restriction of communication channel to intended endpoints vulnerability (CWE-923) has been identified in QNAP QHora devices, allowing attackers with physical access to exploit insufficient endpoint validation and gain privileges intended for legitimate endpoints. The vulnerability affects QHora/QuRouter products prior to version 2.6.3.009. While no CVSS score or EPSS data is currently available and the vulnerability does not appear in active exploitation databases (KEV), the physical access requirement significantly constrains real-world exploitability, though the privilege escalation impact remains concerning for organizations with physical security controls.

Information Disclosure Qurouter
NVD VulDB
CVSS 4.0
0.9
EPSS
0.0%
CVE-2025-62844 MEDIUM PATCH This Month

A weak authentication vulnerability exists in QNAP QHora/QuRouter devices that allows attackers with local network access to bypass authentication mechanisms and disclose sensitive information. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires network-level access but no special privileges. While no CVSS score or EPSS data is publicly available, the classification as CWE-1390 (Weak Authentication) and the emphasis on local network access indicates this is a network-adjacent threat with moderate real-world risk, particularly in environments where untrusted devices can connect to the local network.

Information Disclosure Qurouter
NVD VulDB
CVSS 4.0
4.0
EPSS
0.0%
CVE-2025-62845 MEDIUM PATCH This Month

An improper neutralization of escape, meta, or control sequences vulnerability (CWE-150) affects QNAP QHora/QuRouter devices, allowing local attackers with administrator privileges to cause unexpected behavior through injection of unfiltered control sequences. The vulnerability has been patched in QuRouter version 2.6.3.009 and later. While no CVSS score, EPSS probability, or KEV/POC data are currently published, the requirement for local administrator access significantly limits exploitation scope in typical deployments.

Information Disclosure Qurouter
NVD VulDB
CVSS 4.0
5.6
EPSS
0.0%
CVE-2025-62846 HIGH PATCH This Week

An SQL injection vulnerability exists in QNAP QuRouter that allows authenticated local administrators to execute unauthorized code or commands through SQL injection techniques. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires an attacker to first obtain legitimate administrator credentials on the affected device. While no CVSS score or EPSS data is currently published, the SQL injection classification (CWE-89) combined with code execution impact represents a critical risk for compromised administrator accounts.

SQLi Qurouter
NVD VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2025-29887 HIGH This Month

A command injection vulnerability has been reported to affect QuRouter 2.5.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Command Injection Qurouter
NVD
CVSS 4.0
7.1
EPSS
0.1%
CVE-2024-13088 HIGH PATCH This Week

CVE-2024-13088 is an improper authentication vulnerability (CWE-287) affecting QHora/QuRouter that allows local network attackers with low privileges to compromise system confidentiality, integrity, and availability. The vulnerability requires local network access and low privileges but no user interaction, making it a significant risk for networked environments. Patch versions QuRouter 2.5.0.140 and later are available, though KEV/EPSS data and active exploitation status are not confirmed in the provided intelligence.

Authentication Bypass Qurouter
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2024-13087 MEDIUM PATCH This Month

A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.6.028 and later

Command Injection Qurouter
NVD
CVSS 3.1
6.7
EPSS
0.0%
CVE-2024-53700 MEDIUM This Month

A command injection vulnerability has been reported to affect QHora. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Qurouter
NVD
CVSS 4.0
5.1
EPSS
0.2%
CVE-2024-50390 HIGH This Week

A command injection vulnerability has been reported to affect QHora. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Qurouter
NVD
CVSS 4.0
7.7
EPSS
0.4%
CVE-2024-50389 CRITICAL Act Now

A SQL injection vulnerability has been reported to affect QuRouter. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Qurouter
NVD
CVSS 4.0
9.5
EPSS
0.8%
CVE-2024-48861 HIGH This Week

An OS command injection vulnerability has been reported to affect several product versions. Rated high severity (CVSS 7.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection Qurouter
NVD
CVSS 4.0
7.3
EPSS
0.8%
CVE-2024-48860 CRITICAL Act Now

An OS command injection vulnerability has been reported to affect several product versions. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Qurouter
NVD
CVSS 4.0
9.5
EPSS
1.5%
EPSS 0% CVSS 0.9
LOW PATCH Monitor

An improper restriction of communication channel to intended endpoints vulnerability (CWE-923) has been identified in QNAP QHora devices, allowing attackers with physical access to exploit insufficient endpoint validation and gain privileges intended for legitimate endpoints. The vulnerability affects QHora/QuRouter products prior to version 2.6.3.009. While no CVSS score or EPSS data is currently available and the vulnerability does not appear in active exploitation databases (KEV), the physical access requirement significantly constrains real-world exploitability, though the privilege escalation impact remains concerning for organizations with physical security controls.

Information Disclosure Qurouter
NVD VulDB
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

A weak authentication vulnerability exists in QNAP QHora/QuRouter devices that allows attackers with local network access to bypass authentication mechanisms and disclose sensitive information. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires network-level access but no special privileges. While no CVSS score or EPSS data is publicly available, the classification as CWE-1390 (Weak Authentication) and the emphasis on local network access indicates this is a network-adjacent threat with moderate real-world risk, particularly in environments where untrusted devices can connect to the local network.

Information Disclosure Qurouter
NVD VulDB
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

An improper neutralization of escape, meta, or control sequences vulnerability (CWE-150) affects QNAP QHora/QuRouter devices, allowing local attackers with administrator privileges to cause unexpected behavior through injection of unfiltered control sequences. The vulnerability has been patched in QuRouter version 2.6.3.009 and later. While no CVSS score, EPSS probability, or KEV/POC data are currently published, the requirement for local administrator access significantly limits exploitation scope in typical deployments.

Information Disclosure Qurouter
NVD VulDB
EPSS 0% CVSS 7.3
HIGH PATCH This Week

An SQL injection vulnerability exists in QNAP QuRouter that allows authenticated local administrators to execute unauthorized code or commands through SQL injection techniques. The vulnerability affects QuRouter versions prior to 2.6.2.007, and exploitation requires an attacker to first obtain legitimate administrator credentials on the affected device. While no CVSS score or EPSS data is currently published, the SQL injection classification (CWE-89) combined with code execution impact represents a critical risk for compromised administrator accounts.

SQLi Qurouter
NVD VulDB
EPSS 0% CVSS 7.1
HIGH This Month

A command injection vulnerability has been reported to affect QuRouter 2.5.1. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Command Injection Qurouter
NVD
EPSS 0% CVSS 7.8
HIGH PATCH This Week

CVE-2024-13088 is an improper authentication vulnerability (CWE-287) affecting QHora/QuRouter that allows local network attackers with low privileges to compromise system confidentiality, integrity, and availability. The vulnerability requires local network access and low privileges but no user interaction, making it a significant risk for networked environments. Patch versions QuRouter 2.5.0.140 and later are available, though KEV/EPSS data and active exploitation status are not confirmed in the provided intelligence.

Authentication Bypass Qurouter
NVD
EPSS 0% CVSS 6.7
MEDIUM PATCH This Month

A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.6.028 and later

Command Injection Qurouter
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

A command injection vulnerability has been reported to affect QHora. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Command Injection Qurouter
NVD
EPSS 0% CVSS 7.7
HIGH This Week

A command injection vulnerability has been reported to affect QHora. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Qurouter
NVD
EPSS 1% CVSS 9.5
CRITICAL Act Now

A SQL injection vulnerability has been reported to affect QuRouter. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Qurouter
NVD
EPSS 1% CVSS 7.3
HIGH This Week

An OS command injection vulnerability has been reported to affect several product versions. Rated high severity (CVSS 7.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Command Injection Qurouter
NVD
EPSS 1% CVSS 9.5
CRITICAL Act Now

An OS command injection vulnerability has been reported to affect several product versions. Rated critical severity (CVSS 9.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Qurouter
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy