Main Vulnerability Database Vulnerabilities #VU110666

Command Injection in QuRouter - CVE-2024-13087

Published: June 9, 2025 / Updated: August 30, 2025

Vulnerability identifier: #VU110666

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-13087

CWE-ID: CWE-77

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vendor: QNAP Systems, Inc.

Affected software:
QuRouter

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary commands on the system.

The vulnerability exists due to insufficient input validation. An administrator on the local network can pass specially crafted data to the application and execute arbitrary commands.

How to mitigate CVE-2024-13087

Install updates from vendor's website.

Sources

https://www.qnap.com/en/security-advisory/qsa-25-15
https://www.zerodayinitiative.com/advisories/ZDI-25-871/

Command Injection in QuRouter - CVE-2024-13087

Detailed vulnerability description

How to mitigate CVE-2024-13087

Sources

Please verify you're human