QuRouter 2.x - Improper Channel Endpoint Restriction (Physical Access)
CVE-2025-62843 Published on March 20, 2026

QuRouter
An improper restriction of communication channel to intended endpoints vulnerability has been reported to affect QHora. If an attacker gains physical access, they can then exploit the vulnerability to gain the privileges that were intended for the original endpoint. We have already fixed the vulnerability in the following version: QuRouter 2.6.3.009 and later

NVD

Weakness Type

Improper Restriction of Communication Channel to Intended Endpoints

The software establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that it is communicating with the correct endpoint.

Affected Versions

QNAP Systems Inc. QuRouter:

Version 2.6.x and below 2.6.3.009 is affected.

Exploit Probability

EPSS

0.02%

Percentile

6.25%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

QuRouter 2.x - Improper Channel Endpoint Restriction (Physical Access)CVE-2025-62843 Published on March 20, 2026

Weakness Type

Improper Restriction of Communication Channel to Intended Endpoints

Affected Versions

Exploit Probability

QuRouter 2.x - Improper Channel Endpoint Restriction (Physical Access)
CVE-2025-62843 Published on March 20, 2026