Command Injection Vulnerability in QHora by QNAP
CVE-2024-50390

7.7HIGH

Key Information:

Vendor
QNAP
Status
Vendor
CVE Published:
7 March 2025

Summary

A command injection vulnerability has been identified in QHora, a networking product from QNAP. This issue allows remote attackers to execute arbitrary commands on affected systems, potentially leading to unauthorized access and compromise of sensitive information. It is crucial for users to update to version 2.4.5.032 or later to mitigate these risks and ensure the integrity of their networks. For more detailed information, please refer to the QNAP security advisory.

Affected Version(s)

QuRouter 2.4.x < 2.4.5.032

References

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Pwn2Own 2024 - Daan Keuper (@daankeuper), Thijs Alkemade, and Khaled Nassar from Computest Sector 7
.