Command Injection Vulnerability in QHora by QNAP
CVE-2024-53700

5.1MEDIUM

Key Information:

Vendor: QNAP
Status: Qurouter
Vendor: CVE Published:; 7 March 2025

Summary

A command injection vulnerability in QHora allows remote attackers with administrator access to execute arbitrary commands on the device. This could lead to unauthorized actions within the system, compromising the integrity and security of the network. Users are strongly advised to upgrade to version 2.4.6.028 or later to mitigate this security risk.

Affected Version(s)

QuRouter 2.4.x < 2.4.6.028

References

https://www.qnap.com/en/security-advisory/qsa-25-07

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Mar 7, 2025
Vulnerability Reserved
Nov 22, 2024

Credit

Freddo Espresso (Evangelos Daravigkas)