Skip to main content

File Station CVE-2025-29873

| EUVD-2025-17335 HIGH
NULL Pointer Dereference (CWE-476)
2025-06-06 security@qnapsecurity.com.tw
Denial Of Service Null Pointer Dereference Qnap File Station
7.5
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:44 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5.5.6.4847
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17335
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
CVE Published
Jun 06, 2025 - 16:15 nvd
HIGH 7.5

DescriptionNVD

A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack.

We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later

AnalysisAI

NULL pointer dereference vulnerability affecting QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. The vulnerability has a CVSS score of 7.5 (High) due to its network accessibility and high availability impact, though it requires valid user credentials to exploit. QNAP has released patched versions (5.5.6.4847 and later) to remediate this issue.

Technical ContextAI

This vulnerability exploits improper null pointer handling in the File Station 5 application, a QNAP file management service. CVE-2025-29873 is classified as CWE-476 (NULL Pointer Dereference), which occurs when code attempts to dereference a null pointer without validation. In File Station 5, the vulnerable code path likely processes file system operations or API requests that fail to validate object initialization before use. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U) indicates the flaw is remotely exploitable over network protocols with no special access complexity required; however, the PR:N designation in the description text contradicts typical authenticated requirements, suggesting the vulnerability may be exploitable by any network user or requires minimal privilege escalation from basic user authentication.

RemediationAI

Immediate remediation: Update File Station 5 to version 5.5.6.4847 or later. Organizations should: (1) Check QNAP's official security advisories and File Station 5 release notes for patch availability; (2) Plan upgrade windows during maintenance periods, as File Station may require service restart; (3) Validate patch installation by verifying the version number in File Station settings post-update; (4) Short-term mitigation (if immediate patching is not possible): restrict network access to File Station 5 to trusted users/IP ranges via firewall rules, disable remote access if not required, and monitor access logs for suspicious authentication activity. Contact QNAP support at https://support.qnap.com for device-specific guidance.

Share

CVE-2025-29873 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy