CVE-2024-48860 (CVSS 9.5): Critical Flaw in QNAP QuRouter, Immediate Update Recommended

QNAP has issued a security advisory urging users of its QuRouter network appliance to update their devices immediately. The advisory addresses multiple vulnerabilities, including CVE-2024-48860 and CVE-2024-48861, which could allow remote attackers to execute arbitrary commands on vulnerable devices.

CVE-2024-48860 is a critical vulnerability with a CVSS score of 9.5, while CVE-2024-48861 is rated as high severity with a CVSS score of 7.3.

QNAP warns: “The command injection vulnerabilities could allow remote attackers to execute arbitrary commands.”

Affected Products:

• QuRouter 2.4.x

Solution:

QNAP has released QuRouter version 2.4.3.106 and later to address these vulnerabilities. Users are strongly advised to update their devices as soon as possible.

How to Update:

Users can update their QuRouter devices by following these steps:

1. Log in to QuRouter.

2. Go to Firmware.

3. Select Update now.

4. Select Latest.

5. Click Apply.

6. Click Apply again to confirm.

QuRouter will then download and install the latest firmware.

Alternatively, users can manually update their devices by downloading the latest firmware from the QNAP Download Center and installing it through the Firmware > Manual Update option in QuRouter.

In addition to applying the firmware updates, QNAP users should:

• Regularly review device logs for unusual activity.
• Ensure strong, unique passwords are used for device access.
• Limit remote access to trusted networks only.

Related Posts:

• QNAP Patches Zero-Day Flaw CVE-2024-50389 in QuRouter Following Pwn2Own Ireland 2024 Exploits
• QNAP detects a large number of ransomware attacks
• DeadBolt ransomware is threatening QNAP users
• QNAP Counters Massive Weak Password Onslaught, Shields NAS Devices
• CVE-2024-50387: Critical QNAP Flaw Exploited in Hacking Contest, Patch Now