CVE-2025-29887

CWE-77 — Command Injection CWE-78 — OS Command Injection3 documents3 sources

Severity

7.1HIGH

EPSS

0.1%

top 71.66%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Qnap Systems Inc. Qurouter Qnap Qurouter

Timeline

PublishedAug 29

Description

A command injection vulnerability has been reported to affect QuRouter 2.5.1. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following version: QuRouter 2.5.1.060 and later

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5qnap_systems_inc./qurouter2.5.x — 2.5.1.060

▶NVDqnap/qurouter2.5.0.140, 2.5.0.268+1

🔴Vulnerability Details

CVEList

QuRouter 2.5↗2025-08-29

▶

GHSA

GHSA-423r-mv6p-g8cm: A command injection vulnerability has been reported to affect QuRouter 2↗2025-08-29

▶