Skip to main content

File Station EUVDEUVD-2025-17336

| CVE-2025-29872 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2025-06-06 security@qnapsecurity.com.tw
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 06:44 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
5.5.6.4847
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17336
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
CVE Published
Jun 06, 2025 - 16:15 nvd
HIGH 7.5

DescriptionCVE.org

An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource.

We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later

AnalysisAI

Denial-of-service vulnerability in QNAP File Station 5 that allows an authenticated attacker to exhaust system resources without limits or throttling, preventing legitimate users and processes from accessing the affected service. The vulnerability affects File Station 5 versions prior to 5.5.6.4847 and is remotely exploitable with no user interaction required once account access is obtained. With a CVSS score of 7.5 (High) and network-based attack vector, this represents a significant availability risk for organizations relying on File Station for network file access.

Technical ContextAI

This vulnerability exploits improper resource allocation handling in QNAP File Station 5, classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The root cause involves the absence of rate limiting, request throttling, or resource quota mechanisms in File Station's request handling pipeline. An authenticated user can trigger unbounded resource consumption (likely file handles, memory, I/O operations, or concurrent connection slots) that degrades service availability. The vulnerability is specific to File Station 5, which is QNAP's proprietary file management interface running on their NAS systems (CPE likely qnap:file_station or similar). The lack of AC:L (Low Complexity) in the CVSS vector indicates the attack requires only basic user privileges and standard protocol requests, with no special conditions needed for exploitation.

RemediationAI

Immediate remediation: (1) Upgrade File Station 5 to version 5.5.6.4847 or later; download from QNAP's official support portal for your NAS model; (2) Verify patch application by checking File Station version in the admin console; (3) Short-term mitigations pending patching: restrict File Station access to trusted IP ranges via firewall ACLs; disable File Station if not actively required; monitor resource usage (CPU, memory, I/O, active sessions) for anomalies; implement connection limits or rate-limiting at the reverse proxy/load balancer layer if File Station is exposed externally; audit and revoke unnecessary user accounts to reduce attack surface. Long-term: maintain a patch schedule for QNAP firmware and applications; monitor QNAP security advisories regularly.

CVE-2025-33031 HIGH
8.8 Jun 06

CVE-2025-33031 is an improper certificate validation vulnerability in Synology File Station 5 that allows authenticated

CVE-2025-30279 HIGH
8.8 Jun 06

CVE-2025-30279 is an improper certificate validation vulnerability in QNAP File Station 5 that allows authenticated remo

CVE-2025-29885 HIGH
8.8 Jun 06

CVE-2025-29885 is an improper certificate validation vulnerability in Synology File Station 5 that allows authenticated

CVE-2025-29884 HIGH
8.8 Jun 06

CVE-2025-29884 is an improper certificate validation vulnerability affecting Synology File Station 5 that allows authent

CVE-2025-29883 HIGH
8.8 Jun 06

CVE-2025-29883 is an improper certificate validation vulnerability affecting Synology File Station 5 that allows authent

CVE-2025-22486 HIGH
8.8 Jun 06

CVE-2025-22486 is an improper certificate validation vulnerability in Synology File Station 5 that allows authenticated

CVE-2025-57707 HIGH
8.8 Feb 11

An improper neutralization of directives in statically saved code ('Static Code Injection') vulnerability has been repor

CVE-2025-29877 HIGH
7.5 Jun 06

NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a de

CVE-2025-29876 HIGH
7.5 Jun 06

NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a de

CVE-2025-29873 HIGH
7.5 Jun 06

NULL pointer dereference vulnerability affecting QNAP File Station 5 that allows authenticated remote attackers to trigg

CVE-2025-22490 HIGH
7.5 Jun 06

NULL pointer dereference vulnerability in QNAP File Station 5 that allows authenticated remote attackers to trigger a de

CVE-2025-57713 HIGH
7.5 Feb 11

A weak authentication vulnerability has been reported to affect File Station 5. The remote attackers can then exploit th

Share

EUVD-2025-17336 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy