CVE-2024-50390
Published: 07 March 2025
Summary
CVE-2024-50390 is a critical-severity OS Command Injection (CWE-78) vulnerability in Qnap Qurouter. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely identification, reporting, and patching of the command injection flaw in QHora firmware to block remote arbitrary command execution.
Enforces validation of untrusted network inputs to prevent injection of malicious commands exploiting the firmware vulnerability.
Enables vulnerability scanning to identify the presence of CVE-2024-50390 in deployed QHora devices for prompt remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated command injection in public-facing QuRouter firmware directly maps to T1190 for exploitation of the exposed application and T1059.004 for arbitrary Unix shell command execution on the Linux-based device.
NVD Description
A command injection vulnerability has been reported to affect QHora. If exploited, the vulnerability could allow remote attackers to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.5.032 and later
Deeper analysisAI
CVE-2024-50390 is a command injection vulnerability (CWE-78, CWE-1188) affecting QHora devices from QNAP. The flaw exists in the QuRouter firmware, enabling remote attackers to execute arbitrary commands if exploited. It has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low attack complexity, and lack of required privileges or user interaction.
Remote, unauthenticated attackers can exploit this vulnerability over the network without privileges or user involvement. Successful exploitation grants attackers the ability to execute arbitrary commands on the affected device, potentially leading to full system compromise with high impacts on confidentiality, integrity, and availability.
QNAP has addressed the vulnerability in QuRouter firmware version 2.4.5.032 and later. Security practitioners should update affected QHora devices to these patched versions immediately. Additional details are available in the vendor's advisory at https://www.qnap.com/en/security-advisory/qsa-25-01.
Details
- CWE(s)