Skip to main content

CVE-2024-13087: CWE-78 in QNAP Systems Inc. QuRouter

Low
VulnerabilityCVE-2024-13087cvecve-2024-13087cwe-78
Published: Fri Jun 06 2025 (06/06/2025, 15:53:04 UTC)
Source: CVE Database V5
Vendor/Project: QNAP Systems Inc.
Product: QuRouter

Description

A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.6.028 and later

AI-Powered Analysis

AILast updated: 07/08/2025, 05:39:35 UTC

Technical Analysis

CVE-2024-13087 is a command injection vulnerability identified in QNAP Systems Inc.'s QuRouter product, specifically affecting versions 2.4.x prior to 2.4.6.028. The vulnerability is classified under CWE-78, which pertains to improper neutralization of special elements used in OS commands, commonly known as command injection. This flaw allows an attacker who has already obtained local network access and administrative credentials on the device to execute arbitrary commands on the underlying operating system. The attack vector requires the attacker to be on the local network and possess high privileges (administrator account) on the QuRouter device. Exploitation does not require user interaction beyond the attacker’s initial access and credentials. The vulnerability has a CVSS v4.0 base score of 2.4, indicating a low severity level, primarily because of the prerequisite of administrative privileges and local network access. The impact on confidentiality, integrity, and availability is limited by these constraints, and the vulnerability does not affect the system’s security components or require user interaction. QNAP has addressed this vulnerability in QuRouter version 2.4.6.028 and later, urging users to update to these versions to mitigate the risk. There are no known exploits in the wild at this time, and no public proof-of-concept code has been reported. The vulnerability’s presence in network router firmware means that successful exploitation could allow an attacker to execute arbitrary commands, potentially leading to unauthorized control over the device, manipulation of network traffic, or pivoting to other internal systems.

Potential Impact

For European organizations, the impact of CVE-2024-13087 is generally limited due to the requirement for an attacker to have both local network access and administrative credentials on the QuRouter device. However, in environments where QuRouter devices are deployed as critical network infrastructure—such as in small to medium enterprises, branch offices, or home office setups—this vulnerability could be leveraged by insiders or attackers who have already compromised administrative accounts to escalate control over the router. This could lead to unauthorized command execution, network traffic manipulation, or further lateral movement within the network. Given that QNAP devices are often used for network management and storage, exploitation could indirectly affect data confidentiality and integrity if attackers use the router as a foothold. The low CVSS score reflects the limited attack surface, but organizations with lax credential management or insufficient network segmentation could face higher risks. Additionally, the absence of known exploits reduces immediate threat but does not eliminate the risk of future exploitation. European organizations should be particularly vigilant in sectors with high reliance on QNAP QuRouter devices and where local network access controls are weak.

Mitigation Recommendations

1. Immediate upgrade of all QuRouter devices to version 2.4.6.028 or later to ensure the vulnerability is patched. 2. Enforce strict administrative credential management, including strong, unique passwords and regular rotation to reduce the risk of credential compromise. 3. Implement network segmentation to restrict local network access to QuRouter devices only to trusted and necessary personnel or systems. 4. Monitor administrative access logs on QuRouter devices for unusual login patterns or unauthorized access attempts. 5. Disable or restrict remote administrative access where possible to minimize exposure. 6. Employ network intrusion detection systems (NIDS) to detect anomalous command execution or lateral movement attempts within the local network. 7. Conduct regular security audits and penetration testing focusing on network devices to identify and remediate potential privilege escalations or access control weaknesses. 8. Educate network administrators and users about the risks of credential sharing and the importance of maintaining secure access controls.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
qnap
Date Reserved
2024-12-31T09:31:37.789Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 6843110571f4d251b5d0a5b8

Added to database: 6/6/2025, 4:02:13 PM

Last enriched: 7/8/2025, 5:39:35 AM

Last updated: 8/14/2025, 11:27:28 PM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats