CVE-2024-13087
BaseFortify
Publication date: 2025-06-06
Last updated on: 2025-09-24
Assigner: QNAP Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qnap | qurouter | 2.4.0.190 |
| qnap | qurouter | 2.4.1.172 |
| qnap | qurouter | 2.4.1.634 |
| qnap | qurouter | 2.4.2.317 |
| qnap | qurouter | 2.4.2.538 |
| qnap | qurouter | 2.4.3.103 |
| qnap | qurouter | 2.4.4.106 |
| qnap | qurouter | 2.4.5.032 |
| qnap | qurouter | 2.4.6.028 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update your QHora device to QuRouter version 2.4.6.028 or later, where the vulnerability has been fixed. Additionally, restrict local network access and ensure that administrator accounts are secured to prevent unauthorized exploitation.
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw in QHora devices. If an attacker has local network access and has obtained an administrator account, they can exploit this vulnerability to execute arbitrary commands on the device.
How can this vulnerability impact me? :
If exploited, this vulnerability allows an attacker with local network and administrator access to execute arbitrary commands on the affected device, potentially leading to unauthorized control, data compromise, or disruption of device functionality.