Medium severity6.8NVD Advisory· Published Mar 20, 2026· Updated Apr 14, 2026

CVE-2025-62843

Description

An improper restriction of communication channel to intended endpoints vulnerability has been reported to affect QHora. If an attacker gains physical access, they can then exploit the vulnerability to gain the privileges that were intended for the original endpoint.

We have already fixed the vulnerability in the following version: QuRouter 2.6.3.009 and later

Affected products

Qnap/Qurouter4 versions
cpe:2.3:o:qnap:qurouter:2.6.0.239:build_20250625:*:*:*:*:*:*+ 3 more
- cpe:2.3:o:qnap:qurouter:2.6.0.239:build_20250625:*:*:*:*:*:*
- cpe:2.3:o:qnap:qurouter:2.6.0.688:build_20250818:*:*:*:*:*:*
- cpe:2.3:o:qnap:qurouter:2.6.1.028:build_20251001:*:*:*:*:*:*
- cpe:2.3:o:qnap:qurouter:2.6.2.007:build_20251027:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.qnap.com/en/security-advisory/qsa-26-12nvdVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.442
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000