CVE-2025-22490

| EUVD-2025-17338 HIGH
2025-06-06 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17338
CVE Published
Jun 06, 2025 - 16:15 nvd
HIGH 7.5

Tags

Null Pointer Dereference Denial Of Service Qnap File Station

Description

A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later

Analysis

NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. The vulnerability affects File Station 5 versions prior to 5.5.6.4847, and while it requires valid user credentials (PR:N indicates no privileges required once authenticated), it has a CVSS score of 7.5 reflecting high availability impact. No indication of active exploitation in the wild or public POC is evident from the provided data.

Technical Context

CVE-2025-22490 represents a CWE-476 (NULL Pointer Dereference) vulnerability within QNAP's File Station 5 application, a network-attached storage (NAS) file management service. The vulnerability likely exists in the application layer where improper null pointer validation occurs during request processing—potentially in file handling, metadata processing, or API endpoint handlers. File Station 5 is a core component of QNAP NAS devices and runs as a web-based service accessible over HTTP/HTTPS (AV:N). The NULL dereference suggests unsafe memory access patterns in C/C++ code where pointer validation is insufficient before dereferencing, leading to unhandled exceptions that crash the service. The AC:L (Low Complexity) rating indicates the vulnerability is trivial to exploit once authenticated.

Affected Products

QNAP File Station 5 versions prior to 5.5.6.4847. Affected CPE would be cpe:2.3:a:qnap:file_station_5:*:*:*:*:*:*:*:* with version constraints <5.5.6.4847. This affects all QNAP NAS systems (x86-based and ARM-based) running vulnerable File Station 5 versions. The vulnerability impacts NAS devices across QNAP's consumer (TS-2xx, TS-4xx) and enterprise (TS-8xx, TS-12xx) product lines where File Station 5 is installed. Vendor advisory references would typically be available at QNAP's security advisory page (security.qnap.com) under the product's release notes or dedicated CVE listings.

Remediation

Immediate remediation: Update File Station 5 to version 5.5.6.4847 or later. For QNAP NAS devices, this requires: (1) Accessing the NAS administration interface (typically https://<nas-ip>:8081); (2) Navigating to System Settings > Firmware Update or App Center; (3) Checking for File Station 5 updates and applying the patched version; (4) Rebooting if required. Interim mitigations while patching: (a) Restrict File Station 5 access via firewall rules to trusted IP ranges only; (b) Disable File Station 5 if not in active use; (c) Enforce strong password policies and multi-factor authentication for NAS user accounts; (d) Monitor application logs for NULL pointer exceptions (typically logged as segmentation faults or unhandled exceptions in syslog). Verify patch application by checking File Station 5 version in the application's about/settings page to confirm ≥5.5.6.4847.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Share

CVE-2025-22490 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy