Unrated severityNVD Advisory· Published Jun 6, 2025· Updated Jun 6, 2025

QHora

CVE-2024-13088

Description

An improper authentication vulnerability has been reported to affect QHora. If an attacker gains local network access, they can then exploit the vulnerability to compromise the security of the system.

We have already fixed the vulnerability in the following version: QuRouter 2.5.0.140 and later

Affected products

Qnap/QHorallm-fuzzy
Range: <2.5.0.140
QNAP Systems Inc./QuRouterv5
Range: 2.5.x

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.qnap.com/en/security-advisory/qsa-25-15mitre

News mentions

ZDI-26-244: (Pwn2Own) QNAP QHora-322 miro_webserver_controllers_api_login_singIn Authentication Bypass Vulnerability
Zero Day Initiative · Mar 30, 2026

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000