Command Injection Vulnerability in QHora by QNAP
CVE-2024-50390

7.7HIGH

Key Information:

Vendor: QNAP
Status: Qurouter
Vendor: CVE Published:; 7 March 2025

Summary

A command injection vulnerability has been identified in QHora, a networking product from QNAP. This issue allows remote attackers to execute arbitrary commands on affected systems, potentially leading to unauthorized access and compromise of sensitive information. It is crucial for users to update to version 2.4.5.032 or later to mitigate these risks and ensure the integrity of their networks. For more detailed information, please refer to the QNAP security advisory.

Affected Version(s)

QuRouter 2.4.x < 2.4.5.032

References

https://www.qnap.com/en/security-advisory/qsa-25-01

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Mar 7, 2025
Vulnerability Reserved
Oct 24, 2024

Credit

Pwn2Own 2024 - Daan Keuper (@daankeuper), Thijs Alkemade, and Khaled Nassar from Computest Sector 7