QNAP has issued an urgent advisory for its QuRouter networking devices, reporting two serious command injection vulnerabilities, CVE-2024-48860 and CVE-2024-48861. These flaws pose a significant risk of remote code execution if left unpatched. A recent analysis identified 6,645 exposed devices, including 3,769 unique IPs, highlighting the urgency of an immediate fix.
| Product | QuRouter |
| Date | 2024-11-27 09:21:22 |
| Information |
|
Technical Summary
CVE-2024-48860: A critical command injection vulnerability with a CVSS score of 9.5, which could allow remote attackers to execute arbitrary commands on QuRouter devices running versions 2.4.x.
CVE-2024-48861: A high-severity command injection vulnerability rated 7.3 on the CVSS scale, which also allows for the execution of unauthorized commands by remote attackers.
Both vulnerabilities stem from inadequate input validation in the affected QuRouter firmware, exposing devices to potential exploits by remote attackers. The high number of exposed devices increases the attack surface and raises the risk of large-scale exploitation.
Recommendations
Immediate Firmware Update: Update the QuRouter firmware to version 2.4.3.106 or later to mitigate these vulnerabilities.
- Steps to update:
- Log in to the QuRouter.
- Navigate to Firmware > Update now > Latest.
- Click Apply twice to confirm and install the latest firmware.
- Alternatively, download the firmware from the QNAP Download Center and update manually via Firmware > Manual Update.
- Steps to update:
Improve Device Security:
- Regularly review device logs for unusual or unauthorized activity.
- Use strong, unique passwords for device access.
- Restrict remote access to trusted networks only.
[Callforaction-THREAT-Footer]
