CVE-2024-50390
Published: 07 March 2025
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2024-50390 is a command injection vulnerability (CWE-78, CWE-1188) affecting QHora devices from QNAP. The flaw exists in the QuRouter firmware, enabling remote attackers to execute arbitrary commands if exploited. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.
Remote, unauthenticated attackers can exploit this vulnerability over the network without privileges or user involvement. Successful exploitation grants attackers the ability to execute arbitrary commands on the affected device, potentially leading to full system compromise with high impacts on confidentiality, integrity, and availability.
QNAP has addressed the vulnerability in QuRouter firmware version 2.4.5.032 and later. Security practitioners should update affected QHora devices to these patched versions immediately. Additional details are available in the vendor's advisory at https://www.qnap.com/en/security-advisory/qsa-25-01.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Remote unauthenticated command injection in public-facing QuRouter firmware directly maps to T1190 for exploitation of the exposed application and T1059.004 for arbitrary Unix shell command execution on the Linux-based device.