EUVD-2025-17339CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Lifecycle Timeline
3Tags
Description
An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later
Analysis
CVE-2025-22484 is an unthrottled resource allocation vulnerability in Qnap File Station 5 that allows authenticated remote attackers to exhaust system resources and cause denial of service. An attacker with valid user credentials can exploit this CWE-770 weakness to prevent legitimate users and processes from accessing shared resources, affecting availability. The vulnerability has a moderate-to-high CVSS 7.1 score driven by network accessibility and high availability impact, though it requires prior authentication; the fix is available in File Station 5 version 5.5.6.4847 and later.
Technical Context
The vulnerability resides in Qnap File Station 5, a network file storage access application commonly deployed in NAS environments. The root cause is classified under CWE-770 (Allocation of Resources Without Limits or Throttling), which occurs when the application fails to implement rate limiting, quota enforcement, or resource exhaustion protections on user-initiated operations. This allows an authenticated user to allocate unbounded system resources (likely memory, file handles, connection pools, or temporary storage) through repeated requests or large-scale operations, exhausting the resource pool and triggering denial of service conditions for other legitimate users. The vulnerability is specific to File Station 5 versions prior to 5.5.6.4847, indicating the resource allocation mechanisms were redesigned or throttling controls were added in the patched release.
Affected Products
Qnap File Station 5, versions prior to 5.5.6.4847. The vulnerable range includes all 5.5.6.x releases before build 4847, as well as likely earlier 5.x releases. Affected CPE would be: cpe:2.3:a:qnap:file_station_5:*:*:*:*:*:*:*:* (versions <5.5.6.4847). File Station 5 is commonly bundled with Qnap NAS operating systems (QTS and QuTS) but is also distributed as a standalone application. Organizations running File Station 5 should audit their version numbers and deployment scope. Specific product documentation should be cross-referenced with Qnap security advisories for exact version inventory.
Remediation
Immediate action: Upgrade to File Station 5 version 5.5.6.4847 or later. This is the patched version confirmed to resolve the vulnerability. Organizations should: (1) Test the patch in a non-production environment first to ensure compatibility; (2) Apply the update to all File Station 5 instances in the environment; (3) Document and track patch deployment; (4) Review access controls to ensure only trusted users have access to File Station 5. Interim mitigations (if patching is delayed): Restrict user account creation and audit existing accounts to remove unnecessary access; implement network-level rate limiting or WAF rules on File Station 5 endpoints if deployed behind a reverse proxy; monitor system resource utilization (memory, file handles, CPU) for anomalous consumption patterns indicative of resource exhaustion attacks; isolate critical NAS services on separate systems if high availability is required. Long-term: Subscribe to Qnap security bulletins and enable automatic patching if available.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today