Details of VAR-202506-2348

ID

VAR-202506-2348

CVE

CVE-2024-13087

TITLE

(Pwn2Own) QNAP QHora-322 miro_webserver_lib_RunExecBash Command Injection Remote Code Execution Vulnerability

Trust: 0.7

sources: ZDI: ZDI-25-871

DESCRIPTION

A command injection vulnerability has been reported to affect QHora. If an attacker gains local network access who have also gained an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.4.6.028 and later. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of QNAP QHora-322 routers. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.The specific flaw exists within the miro_webserver_lib_RunExecBash function. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. QNAP QHora is a router from Taiwan's QNAP Technology Co., Ltd. The vulnerability is caused by the application's failure to properly filter special characters and commands in constructing commands. No detailed vulnerability details are currently available

Trust: 2.07

sources: NVD: CVE-2024-13087 // ZDI: ZDI-25-871 // CNVD: CNVD-2025-15407

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2025-15407

AFFECTED PRODUCTS

vendor:	qnap	model:	qhora-322	scope:	-	version:	-	Trust: 0.7
vendor:	qnap	model:	qhora	scope:	lt	version:	2.4.6.028	Trust: 0.6

sources: ZDI: ZDI-25-871 // CNVD: CNVD-2025-15407

CVSS

SEVERITY

CVSSV2

CVSSV3

security@qnapsecurity.com.tw:	CVE-2024-13087
value:	LOW
Trust: 1.0
ZDI:	CVE-2024-13087
value:	HIGH
Trust: 0.7
CNVD:	CNVD-2025-15407
value:	MEDIUM
Trust: 0.6

CNVD:	CNVD-2025-15407
severity:	MEDIUM
baseScore:	4.0
vectorString:	AV:L/AC:L/AU:M/C:P/I:P/A:P
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	MULTIPLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	2.5
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6

ZDI:	CVE-2024-13087
baseSeverity:	HIGH
baseScore:	7.1
vectorString:	AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector:	ADJACENT
attackComplexity:	HIGH
privilegesRequired:	LOW
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.9
version:	3.0
Trust: 0.7

sources: ZDI: ZDI-25-871 // CNVD: CNVD-2025-15407 // NVD: CVE-2024-13087

PROBLEMTYPE DATA

problemtype:

CWE-78

Trust: 1.0

sources: NVD: CVE-2024-13087

PATCH

title:	QNAP has issued an update to correct this vulnerability.	url:	https://www.qnap.com/en/security-advisory/qsa-25-15	Trust: 0.7
title:	Patch for QNAP QHora OS Command Injection Vulnerability	url:	https://www.cnvd.org.cn/patchInfo/show/706231	Trust: 0.6

sources: ZDI: ZDI-25-871 // CNVD: CNVD-2025-15407

EXTERNAL IDS

db:	NVD	id:	CVE-2024-13087	Trust: 2.3
db:	ZDI_CAN	id:	ZDI-CAN-25847	Trust: 0.7
db:	ZDI	id:	ZDI-25-871	Trust: 0.7
db:	CNVD	id:	CNVD-2025-15407	Trust: 0.6

sources: ZDI: ZDI-25-871 // CNVD: CNVD-2025-15407 // NVD: CVE-2024-13087

REFERENCES

url:	https://www.qnap.com/en/security-advisory/qsa-25-15	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2024-13087	Trust: 0.6

sources: ZDI: ZDI-25-871 // CNVD: CNVD-2025-15407 // NVD: CVE-2024-13087

CREDITS

nella17 (@nella17tw), working with DEVCORE Internship Program, and DEVCORE Research Team

Trust: 0.7

sources: ZDI: ZDI-25-871

SOURCES

db:	ZDI	id:	ZDI-25-871
db:	CNVD	id:	CNVD-2025-15407
db:	NVD	id:	CVE-2024-13087

LAST UPDATE DATE

2025-08-28T23:18:35.699000+00:00

SOURCES UPDATE DATE

db:	ZDI	id:	ZDI-25-871	date:	2025-08-26T00:00:00
db:	CNVD	id:	CNVD-2025-15407	date:	2025-07-10T00:00:00
db:	NVD	id:	CVE-2024-13087	date:	2025-06-09T12:15:47.880

SOURCES RELEASE DATE

db:	ZDI	id:	ZDI-25-871	date:	2025-08-26T00:00:00
db:	CNVD	id:	CNVD-2025-15407	date:	2025-07-08T00:00:00
db:	NVD	id:	CVE-2024-13087	date:	2025-06-06T16:15:22.573