What is the CVSS score of CVE-2025-22484?

CVE-2025-22484 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N. EPSS exploitation probability: 0.2%.

Which versions of Qnap are affected by CVE-2025-22484?

CVE-2025-22484 is a denial-of-service vulnerability in QNAP File Station 5 that allows authenticated users to exhaust system resources and disrupt access to shared storage for all users.. A patch is available.

How to fix or mitigate CVE-2025-22484?

Within 24 hours: inventory all QNAP NAS systems running File Station 5 and identify current versions. Within 7 days: apply vendor patch to File Station 5 version 5.5.6.4847 or later on all affected systems, testing in non-production environments first. Within 30 days: audit user access credentials and implement principle-of-least-privilege for file station accounts; review access logs for suspicious resource allocation patterns.

Qnap CVE-2025-22484

EUVD-2025-17339 HIGH

Allocation of Resources Without Limits or Throttling (CWE-770)

2025-06-06 security@qnapsecurity.com.tw

Denial Of Service Qnap

7.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.1 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:44 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

5.5.6.4847

EUVD ID Assigned

Mar 14, 2026 - 18:10 euvd

EUVD-2025-17339

Analysis Generated

Mar 14, 2026 - 18:10 vuln.today

CVE Published

Jun 06, 2025 - 16:15 nvd

HIGH 7.1

DescriptionCVE.org

An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource.

We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later

AnalysisAI

CVE-2025-22484 is an unthrottled resource allocation vulnerability in Qnap File Station 5 that allows authenticated remote attackers to exhaust system resources and cause denial of service. An attacker with valid user credentials can exploit this CWE-770 weakness to prevent legitimate users and processes from accessing shared resources, affecting availability. The vulnerability has a moderate-to-high CVSS 7.1 score driven by network accessibility and high availability impact, though it requires prior authentication; the fix is available in File Station 5 version 5.5.6.4847 and later.

Technical ContextAI

The vulnerability resides in Qnap File Station 5, a network file storage access application commonly deployed in NAS environments. The root cause is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), which occurs when the application fails to implement rate limiting, quota enforcement, or resource exhaustion protections on user-initiated operations. This allows an authenticated user to allocate unbounded system resources (likely memory, file handles, connection pools, or temporary storage) through repeated requests or large-scale operations, exhausting the resource pool and triggering denial of service conditions for other legitimate users. The vulnerability is specific to File Station 5 versions prior to 5.5.6.4847, indicating the resource allocation mechanisms were redesigned or throttling controls were added in the patched release.

RemediationAI

Immediate action: Upgrade to File Station 5 version 5.5.6.4847 or later. This is the patched version confirmed to resolve the vulnerability. Organizations should: (1) Test the patch in a non-production environment first to ensure compatibility; (2) Apply the update to all File Station 5 instances in the environment; (3) Document and track patch deployment; (4) Review access controls to ensure only trusted users have access to File Station 5. Interim mitigations (if patching is delayed): Restrict user account creation and audit existing accounts to remove unnecessary access; implement network-level rate limiting or WAF rules on File Station 5 endpoints if deployed behind a reverse proxy; monitor system resource utilization (memory, file handles, CPU) for anomalous consumption patterns indicative of resource exhaustion attacks; isolate critical NAS services on separate systems if high availability is required. Long-term: Subscribe to Qnap security bulletins and enable automatic patching if available.

More from same product – last 7 days

CVE-2026-41539 HIGH This Week

8.7 Jun 09

Cross-site scripting in QNAP QTS and QuTS hero operating systems allows remote attackers to bypass security mechanisms a

CVE-2025-66273 HIGH This Week

8.6 Jun 10

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows a remote attacker who has already

CVE-2025-66279 HIGH This Week

8.6 Jun 10

Authenticated command injection in QNAP QTS and QuTS hero allows a remote attacker holding administrator credentials to

CVE-2026-22893 HIGH This Week

8.6 Jun 10

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows attackers with administrator cred

CVE-2026-24719 HIGH This Week

8.6 Jun 10

Authenticated command injection in QNAP QTS and QuTS hero NAS operating systems allows an attacker who already holds an

CVE-2025-22484 vulnerability details – vuln.today

Back

Qnap CVE-2025-22484

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code