EUVD-2025-17335

| CVE-2025-29873 HIGH
2025-06-06 [email protected]
7.5
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17335
CVE Published
Jun 06, 2025 - 16:15 nvd
HIGH 7.5

Tags

Null Pointer Dereference Denial Of Service Qnap File Station

Description

A NULL pointer dereference vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to launch a denial-of-service (DoS) attack. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later

Analysis

NULL pointer dereference vulnerability affecting QNAP File Station 5 that allows authenticated remote attackers to trigger a denial-of-service condition by crashing the application. The vulnerability has a CVSS score of 7.5 (High) due to its network accessibility and high availability impact, though it requires valid user credentials to exploit. QNAP has released patched versions (5.5.6.4847 and later) to remediate this issue.

Technical Context

This vulnerability exploits improper null pointer handling in the File Station 5 application, a QNAP file management service. CVE-2025-29873 is classified as CWE-476 (NULL Pointer Dereference), which occurs when code attempts to dereference a null pointer without validation. In File Station 5, the vulnerable code path likely processes file system operations or API requests that fail to validate object initialization before use. The CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U) indicates the flaw is remotely exploitable over network protocols with no special access complexity required; however, the PR:N designation in the description text contradicts typical authenticated requirements, suggesting the vulnerability may be exploitable by any network user or requires minimal privilege escalation from basic user authentication.

Affected Products

QNAP File Station 5 versions prior to 5.5.6.4847 are affected. Specific affected versions are not enumerated in provided data, but the vendor has confirmed patching in version 5.5.6.4847 and all subsequent releases. The vulnerability affects File Station 5 running on compatible QNAP NAS devices (QTS, QuTS hero operating systems). No CPE data or vendor advisory links were provided in the intelligence sources, but the product should be identified via QNAP's official File Station 5 documentation and device compatibility matrices.

Remediation

Immediate remediation: Update File Station 5 to version 5.5.6.4847 or later. Organizations should: (1) Check QNAP's official security advisories and File Station 5 release notes for patch availability; (2) Plan upgrade windows during maintenance periods, as File Station may require service restart; (3) Validate patch installation by verifying the version number in File Station settings post-update; (4) Short-term mitigation (if immediate patching is not possible): restrict network access to File Station 5 to trusted users/IP ranges via firewall rules, disable remote access if not required, and monitor access logs for suspicious authentication activity. Contact QNAP support at https://support.qnap.com for device-specific guidance.

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +38
POC: 0

Share

EUVD-2025-17335 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy