What is the CVSS score of CVE-2025-29872?

CVE-2025-29872 has a CVSS 3.1 base score of 7.5 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.1%.

Which versions of File Station are affected by CVE-2025-29872?

QNAP File Station 5 contains a high-severity denial-of-service vulnerability (CVE-2025-29872) that allows authenticated users to exhaust system resources and render the file-sharing service…. A patch is available.

How to fix or mitigate CVE-2025-29872?

Within 24 hours: Identify all QNAP File Station 5 instances and document current versions. Within 7 days: Apply vendor patch to upgrade all affected File Station 5 instances to version 5.5.6.4847 or later; test patched systems in non-production environment first. Within 30 days: Verify patch deployment across all instances, review access logs for suspicious authenticated activity, and implement network segmentation to restrict File Station access to authorized users only.

File Station CVE-2025-29872

EUVD-2025-17336 HIGH

Allocation of Resources Without Limits or Throttling (CWE-770)

2025-06-06 security@qnapsecurity.com.tw

Denial Of Service Synology File Station

7.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:44 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

5.5.6.4847

EUVD ID Assigned

Mar 14, 2026 - 18:10 euvd

EUVD-2025-17336

Analysis Generated

Mar 14, 2026 - 18:10 vuln.today

CVE Published

Jun 06, 2025 - 16:15 nvd

HIGH 7.5

DescriptionNVD

An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource.

We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later

AnalysisAI

Denial-of-service vulnerability in QNAP File Station 5 that allows an authenticated attacker to exhaust system resources without limits or throttling, preventing legitimate users and processes from accessing the affected service. The vulnerability affects File Station 5 versions prior to 5.5.6.4847 and is remotely exploitable with no user interaction required once account access is obtained. With a CVSS score of 7.5 (High) and network-based attack vector, this represents a significant availability risk for organizations relying on File Station for network file access.

Technical ContextAI

This vulnerability exploits improper resource allocation handling in QNAP File Station 5, classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The root cause involves the absence of rate limiting, request throttling, or resource quota mechanisms in File Station's request handling pipeline. An authenticated user can trigger unbounded resource consumption (likely file handles, memory, I/O operations, or concurrent connection slots) that degrades service availability. The vulnerability is specific to File Station 5, which is QNAP's proprietary file management interface running on their NAS systems (CPE likely qnap:file_station or similar). The lack of AC:L (Low Complexity) in the CVSS vector indicates the attack requires only basic user privileges and standard protocol requests, with no special conditions needed for exploitation.

RemediationAI

Immediate remediation: (1) Upgrade File Station 5 to version 5.5.6.4847 or later; download from QNAP's official support portal for your NAS model; (2) Verify patch application by checking File Station version in the admin console; (3) Short-term mitigations pending patching: restrict File Station access to trusted IP ranges via firewall ACLs; disable File Station if not actively required; monitor resource usage (CPU, memory, I/O, active sessions) for anomalies; implement connection limits or rate-limiting at the reverse proxy/load balancer layer if File Station is exposed externally; audit and revoke unnecessary user accounts to reduce attack surface. Long-term: maintain a patch schedule for QNAP firmware and applications; monitor QNAP security advisories regularly.

More from same product – last 7 days

CVE-2025-12686 CRITICAL Act Now

9.8 May 27

Remote code execution in Synology BeeStation OS versions before 1.3.2-65648 stems from a classic buffer overflow in the

CVE-2025-13392 HIGH This Week

8.1 May 27

Authentication bypass in Synology DiskStation Manager (DSM) SSO lets remote, unauthenticated attackers who already know

CVE-2025-14713 HIGH This Week

7.5 May 27

Credential disclosure in Synology C2 Identity Edge Server (DSM versions before 1.76.0-0307) allows remote unauthenticate

CVE-2026-2237 MEDIUM This Month

6.2 May 27

Volume encryption in Synology Storage Manager before version 1.0.1-1100 transmits sensitive data via HTTP GET query stri

CVE-2025-13593 MEDIUM This Month

6.1 May 27

Arbitrary file write with restricted content in Synology ActiveProtect Agent before 1.1.0-0439 is exploitable by local u

CVE-2025-29872 vulnerability details – vuln.today

Back

File Station CVE-2025-29872

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

More from same product – last 7 days

Share

External POC / Exploit Code