Description
An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior.

We have already fixed the vulnerability in the following version:
QuRouter 2.6.3.009 and later
Published: 2026-03-20
Score: 5.6 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Exploitation Causing Unexpected Behavior
Action: Patch
AI Analysis

Impact

An improper neutralization of escape, meta, or control sequences has been reported to affect QNAP QuRouter. The vulnerability, identified as CWE‑150, allows a local attacker with administrator privileges to input crafted data that bypasses sanitization, which can lead to unexpected behavior of the router. No remote code execution or denial‑of‑service capability is indicated in the supplied description.

Affected Systems

QNAP Systems Inc. QuRouter firmware versions before 2.6.3.009 are vulnerable. Specifically, the builds 2.6.0.239 (build_20250625), 2.6.0.688 (build_20250818), 2.6.1.028 (build_20251001), and 2.6.2.007 (build_20251027) are listed as affected. Users should verify the firmware version on each device to determine exposure.

Risk and Exploitability

The CVSS score of 5.6 places this issue in the moderate severity range, while an EPSS score below 1 % indicates a low probability of exploitation. Since the flaw requires local administrator privileges, it poses a risk only to trusted or compromised accounts. The vendor has released a patch in firmware 2.6.3.009 and later, simplifying mitigation.

Generated by OpenCVE AI on April 14, 2026 at 20:26 UTC.

Remediation

Vendor Solution

We have already fixed the vulnerability in the following version: QuRouter 2.6.3.009 and later

OpenCVE Recommended Actions

  • Upgrade the router firmware to version 2.6.3.009 or later to apply the vendor fix.
  • Verify the current firmware build; if it matches any of the vulnerable versions, perform the upgrade immediately.
  • If an upgrade cannot be applied right now, restrict local administrator accounts to trusted personnel and monitor the device for abnormal behavior.

Generated by OpenCVE AI on April 14, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Qnap
Qnap qurouter
CPEs cpe:2.3:o:qnap:qurouter:2.6.0.239:build_20250625:*:*:*:*:*:*
cpe:2.3:o:qnap:qurouter:2.6.0.688:build_20250818:*:*:*:*:*:*
cpe:2.3:o:qnap:qurouter:2.6.1.028:build_20251001:*:*:*:*:*:*
cpe:2.3:o:qnap:qurouter:2.6.2.007:build_20251027:*:*:*:*:*:*
Vendors & Products Qnap
Qnap qurouter
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Qnap Systems
Qnap Systems qurouter
Vendors & Products Qnap Systems
Qnap Systems qurouter

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
Description An improper neutralization of escape, meta, or control sequences vulnerability has been reported to affect QHora. If a local attacker gains an administrator account, they can then exploit the vulnerability to cause unexpected behavior. We have already fixed the vulnerability in the following version: QuRouter 2.6.3.009 and later
Title QuRouter
Weaknesses CWE-150
References
Metrics cvssV4_0

{'score': 5.6, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:H/SA:H/E:U'}

Subscriptions

Qnap Qurouter
Qnap Systems Qurouter
cve-icon MITRE

Status: PUBLISHED

Assigner: qnap

Published:

Updated: 2026-03-25T14:02:24.019Z

Reserved: 2025-10-24T02:43:45.372Z

Link: CVE-2025-62845

cve-icon Vulnrichment

Updated: 2026-03-25T14:02:18.992Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T17:16:42.560

Modified: 2026-04-14T14:25:40.667

Link: CVE-2025-62845

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T16:45:09Z

Weaknesses