EUVD-2025-17336
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Description
An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 5. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.4847 and later
Analysis
Denial-of-service vulnerability in QNAP File Station 5 that allows an authenticated attacker to exhaust system resources without limits or throttling, preventing legitimate users and processes from accessing the affected service. The vulnerability affects File Station 5 versions prior to 5.5.6.4847 and is remotely exploitable with no user interaction required once account access is obtained. With a CVSS score of 7.5 (High) and network-based attack vector, this represents a significant availability risk for organizations relying on File Station for network file access.
Technical Context
This vulnerability exploits improper resource allocation handling in QNAP File Station 5, classified under CWE-770 (Allocation of Resources Without Limits or Throttling). The root cause involves the absence of rate limiting, request throttling, or resource quota mechanisms in File Station's request handling pipeline. An authenticated user can trigger unbounded resource consumption (likely file handles, memory, I/O operations, or concurrent connection slots) that degrades service availability. The vulnerability is specific to File Station 5, which is QNAP's proprietary file management interface running on their NAS systems (CPE likely qnap:file_station or similar). The lack of AC:L (Low Complexity) in the CVSS vector indicates the attack requires only basic user privileges and standard protocol requests, with no special conditions needed for exploitation.
Affected Products
QNAP File Station 5: versions prior to 5.5.6.4847 are vulnerable. Affected configurations include: (1) File Station 5 running on QNAP NAS systems (all models that support File Station 5); (2) Any deployment where File Station is exposed to untrusted networks or multi-tenant environments; (3) Systems with user accounts created for file access. Fixed in: File Station 5 version 5.5.6.4847 and later. Exact CPE would be 'cpe:2.3:a:qnap:file_station_5:*:*:*:*:*:*:*:*' with versionEndExcluding 5.5.6.4847. QNAP vendor advisory: Users should consult QNAP security bulletins and advisories for official patch downloads and release notes.
Remediation
Immediate remediation: (1) Upgrade File Station 5 to version 5.5.6.4847 or later; download from QNAP's official support portal for your NAS model; (2) Verify patch application by checking File Station version in the admin console; (3) Short-term mitigations pending patching: restrict File Station access to trusted IP ranges via firewall ACLs; disable File Station if not actively required; monitor resource usage (CPU, memory, I/O, active sessions) for anomalies; implement connection limits or rate-limiting at the reverse proxy/load balancer layer if File Station is exposed externally; audit and revoke unnecessary user accounts to reduce attack surface. Long-term: maintain a patch schedule for QNAP firmware and applications; monitor QNAP security advisories regularly.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today