CVE-2024-53700

High

Published: 07 March 2025

Published

07 March 2025

Modified

24 September 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 46.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may abuse Unix shell commands and scripts for execution.

Security Summary

CVE-2024-53700 is a command injection vulnerability (CWE-77, CWE-78) affecting QHora devices running QuRouter firmware versions prior to 2.4.6.028. Published on 2025-03-07, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating a high-severity issue that enables attackers to execute arbitrary commands.

Remote attackers who have already gained administrator access can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation grants high-impact privileges, allowing full compromise of confidentiality, integrity, and availability on the targeted QHora device.

QNAP's security advisory (QSA-25-07) confirms the vulnerability has been fixed in QuRouter 2.4.6.028 and later versions. Administrators should immediately update affected QHora devices to mitigate the risk, as detailed at https://www.qnap.com/en/security-advisory/qsa-25-07.

Details

CWE(s): CWE-77CWE-78

Affected Products

qnap

qurouter

2.4.0.190, 2.4.1.172, 2.4.1.634, 2.4.2.317, 2.4.2.538

MITRE ATT&CK Enterprise Techniques

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection (CWE-77/78) directly enables arbitrary command execution on the Linux-based QuRouter firmware, mapping to Unix Shell interpreter usage.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.qnap.com/en/security-advisory/qsa-25-07
Vendor Advisory · security@qnapsecurity.com.tw