CVE-2024-53700

HighRCE

Published: 07 March 2025

Published

07 March 2025

Modified

24 September 2025

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 46.1th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53700 is a high-severity Command Injection (CWE-77) vulnerability in Qnap Qurouter. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 46.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unix Shell (T1059.004). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the command injection vulnerability by requiring timely remediation through patching to QuRouter 2.4.6.028 or later as specified in the vendor advisory.

SI-10 Information Input Validation good match

prevent

Prevents command injection attacks by validating and sanitizing administrator inputs to block arbitrary command execution.

AC-6 Least Privilege partial match

prevent

Limits the impact of successful command injection by enforcing least privilege on administrator accounts, reducing privileges available for exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution

Adversaries may abuse Unix shell commands and scripts for execution.

attack.mitre.org →

Why these techniques?

Command injection (CWE-77/78) directly enables arbitrary command execution on the Linux-based QuRouter firmware, mapping to Unix Shell interpreter usage.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A command injection vulnerability has been reported to affect QHora. If exploited, the vulnerability could allow remote attackers who have gained administrator access to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.6.028 and…

later

Deeper analysisAI

CVE-2024-53700 is a command injection vulnerability (CWE-77, CWE-78) affecting QHora devices running QuRouter firmware versions prior to 2.4.6.028. Published on 2025-03-07, it carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating a high-severity issue that enables attackers to execute arbitrary commands.

Remote attackers who have already gained administrator access can exploit this vulnerability over the network with low complexity and no user interaction. Successful exploitation grants high-impact privileges, allowing full compromise of confidentiality, integrity, and availability on the targeted QHora device.

QNAP's security advisory (QSA-25-07) confirms the vulnerability has been fixed in QuRouter 2.4.6.028 and later versions. Administrators should immediately update affected QHora devices to mitigate the risk, as detailed at https://www.qnap.com/en/security-advisory/qsa-25-07.

Details

CWE(s): CWE-77 CWE-78

Affected Products

qnap

qurouter

2.4.0.190, 2.4.1.172, 2.4.1.634, 2.4.2.317, 2.4.2.538

CVEs Like This One

CVE-2024-50390Same product: Qnap Qurouter

CVE-2025-30264Same product class: NAS / storage appliance

CVE-2026-22897Same product class: NAS / storage appliance

CVE-2024-56808Same product class: NAS / storage appliance

CVE-2025-44015Same product class: NAS / storage appliance

CVE-2024-14026Same product class: NAS / storage appliance

CVE-2026-22901Same product class: NAS / storage appliance

CVE-2025-54153Same product class: NAS / storage appliance

CVE-2025-44014Same product class: NAS / storage appliance

CVE-2025-11837Same product class: NAS / storage appliance

References

https://www.qnap.com/en/security-advisory/qsa-25-07
Vendor Advisory · security@qnapsecurity.com.tw