{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-62844", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "state": "PUBLISHED", "assignerShortName": "qnap", "dateReserved": "2025-10-24T02:43:45.372Z", "datePublished": "2026-03-20T16:21:56.718Z", "dateUpdated": "2026-03-25T14:01:52.002Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2026-03-20T16:21:56.718Z"}, "title": "QuRouter", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-1390", "description": "CWE-1390", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115"}]}], "affected": [{"vendor": "QNAP Systems Inc.", "product": "QuRouter", "versions": [{"status": "affected", "version": "2.6.x", "lessThan": "2.6.2.007", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information.\n\nWe have already fixed the vulnerability in the following version:\nQuRouter 2.6.2.007 and later", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information.<br><br>We have already fixed the vulnerability in the following version:<br>QuRouter 2.6.2.007 and later<br>"}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-26-12"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 4, "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"}}], "solutions": [{"lang": "en", "value": "We have already fixed the vulnerability in the following version:\nQuRouter 2.6.2.007 and later", "supportingMedia": [{"type": "text/html", "base64": false, "value": "We have already fixed the vulnerability in the following version:<br>QuRouter 2.6.2.007 and later<br>"}]}], "credits": [{"lang": "en", "value": "Pwn2Own 2025 - Team DDOS", "type": "finder"}], "source": {"advisory": "QSA-26-12", "discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-25T14:01:43.911176Z", "id": "CVE-2025-62844", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:01:52.002Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-62844", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-25T14:01:43.911176Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-25T14:01:48.836Z"}}], "cna": {"title": "QuRouter", "source": {"advisory": "QSA-26-12", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Pwn2Own 2025 - Team DDOS"}], "impacts": [{"capecId": "CAPEC-115", "descriptions": [{"lang": "en", "value": "CAPEC-115"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 4, "Automatable": "NOT_DEFINED", "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "QNAP Systems Inc.", "product": "QuRouter", "versions": [{"status": "affected", "version": "2.6.x", "lessThan": "2.6.2.007", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "We have already fixed the vulnerability in the following version:\nQuRouter 2.6.2.007 and later", "supportingMedia": [{"type": "text/html", "value": "We have already fixed the vulnerability in the following version:<br>QuRouter 2.6.2.007 and later<br>", "base64": false}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-26-12"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information.\n\nWe have already fixed the vulnerability in the following version:\nQuRouter 2.6.2.007 and later", "supportingMedia": [{"type": "text/html", "value": "A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information.<br><br>We have already fixed the vulnerability in the following version:<br>QuRouter 2.6.2.007 and later<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1390", "description": "CWE-1390"}]}], "providerMetadata": {"orgId": "2fd009eb-170a-4625-932b-17a53af1051f", "shortName": "qnap", "dateUpdated": "2026-03-20T16:21:56.718Z"}}}, "cveMetadata": {"cveId": "CVE-2025-62844", "state": "PUBLISHED", "dateUpdated": "2026-03-25T14:01:52.002Z", "dateReserved": "2025-10-24T02:43:45.372Z", "assignerOrgId": "2fd009eb-170a-4625-932b-17a53af1051f", "datePublished": "2026-03-20T16:21:56.718Z", "assignerShortName": "qnap"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weak authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to gain sensitive information.\n\nWe have already fixed the vulnerability in the following version:\nQuRouter 2.6.2.007 and later"}], "id": "CVE-2025-62844", "lastModified": "2026-03-24T15:54:09.400", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 4.0, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "UNREPORTED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@qnapsecurity.com.tw", "type": "Secondary"}]}, "published": "2026-03-20T17:16:42.387", "references": [{"source": "security@qnapsecurity.com.tw", "url": "https://www.qnap.com/en/security-advisory/qsa-26-12"}], "sourceIdentifier": "security@qnapsecurity.com.tw", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1390"}], "source": "security@qnapsecurity.com.tw", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2.6.x,2.6.2.007)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "product": "qurouter", "vendor": "qnap_systems"}], "analysis": {"en": {"generated_at": "2026-03-20T17:23:24.443652+00:00", "value": {"mitigation_remediation": ["Upgrade QuRouter to version 2.6.2.007 or later. If upgrade is not possible, isolate the device from untrusted local networks and enforce strict network segmentation to prevent local access. Consider enabling any additional security features the device offers, such as intrusion detection or account lockout policies."], "summary": {"action": "Apply Patch", "impact": "Sensitive Information Disclosure"}, "threat_synthesis": {"affected_systems": "The affected product is QNAP Systems Inc.'s QuRouter. All releases earlier than version 2.6.2.007 are impacted, as the vendor explicitly states that the issue is fixed in 2.6.2.007 and later. The advisory does not list any additional affected releases, so the safe assumption is that prior versions are vulnerable.", "description_and_impact": "This vulnerability is a weak authentication weakness that allows an attacker who already has local network access to gain sensitive information from the device. Because the authentication mechanism does not enforce strong passwords or multi\u2011factor verification, compromised credentials can be used to read confidential data. This is a direct confidentiality breach and is classified as CWE\u20111390.", "risk_and_exploitability": "With a CVSS score of four the vulnerability is considered moderate in severity. No EPSS score is published, and the flaw is not listed in the CISA KEV catalog, suggesting it is not currently actively exploited. The attack vector is local network \u2013 an attacker must first reach the device on the local network, then exploit the weak authentication to read sensitive data. If internal network traffic is exposed, the risk rises accordingly."}}}}, "created": "2026-03-23T09:53:16.396002+00:00", "title": "Weak Authentication Enables Local Network Information Disclosure", "updated": "2026-03-25T14:29:06.201151+00:00", "vendors": ["qnap_systems", "qnap_systems$PRODUCT$qurouter"]}