Home

Description

A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.6.028 and later

PUBLISHED Reserved 2024-12-31 | Published 2025-06-06 | Updated 2025-06-06 | Assigner qnap




LOW: 2.4CVSS:4.0/AV:P/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-78

Product status

Default status
unaffected

2.4.x (custom) before 2.4.6.028
affected

Credits

nella17 (@nella17tw), working with DEVCORE Internship Program, and DEVCORE Research Team working with Trend Micro Zero Day Initiative finder

References

www.qnap.com/en/security-advisory/qsa-25-15

cve.org (CVE-2024-13087)

nvd.nist.gov (CVE-2024-13087)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.