What is the CVSS score of EUVD-2025-17344?

EUVD-2025-17344 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of File Station are affected by EUVD-2025-17344?

CVE-2025-29883 is a certificate validation flaw in Synology File Station 5 that enables authenticated users to intercept traffic and harvest credentials through man-in-the-middle attacks, potentially…. A patch is available.

How to fix or mitigate EUVD-2025-17344?

Within 24 hours: Identify all Synology File Station 5 instances and current versions via asset inventory; prioritize systems with external access or sensitive data storage. Within 7 days: Apply vendor patch to File Station 5 version 5.5.6.4791 or later on all affected systems; verify patch deployment through version confirmation. Within 30 days: Conduct access review of File Station 5 user accounts; implement network segmentation to restrict File Station traffic; enable comprehensive logging of File Station sessions for forensic review of potential prior exploitation.

File Station EUVD-2025-17344

| CVE-2025-29883 HIGH

Improper Certificate Validation (CWE-295)

2025-06-06 security@qnapsecurity.com.tw

Qnap Authentication Bypass File Station

8.8

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Updated

Apr 16, 2026 - 06:44 EUVD-patch-fix

executive_summary

Re-analysis Queued

Apr 16, 2026 - 05:29 backfill_euvd_patch

patch_released

Patch available

Apr 16, 2026 - 05:29 EUVD

5.5.6.4791

EUVD ID Assigned

Mar 14, 2026 - 18:10 euvd

EUVD-2025-17344

Analysis Generated

Mar 14, 2026 - 18:10 vuln.today

CVE Published

Jun 06, 2025 - 16:15 nvd

HIGH 8.8

DescriptionCVE.org

An improper certificate validation vulnerability has been reported to affect File Station 5. If exploited, the vulnerability could allow remote attackers who have gained user access to compromise the security of the system.

We have already fixed the vulnerability in the following versions: File Station 5 5.5.6.4791 and later and later

AnalysisAI

CVE-2025-29883 is an improper certificate validation vulnerability affecting Synology File Station 5 that allows authenticated remote attackers to compromise system security through man-in-the-middle attacks or credential harvesting. The vulnerability requires valid user credentials (PR:L) but can result in complete system compromise with high impact to confidentiality, integrity, and availability (CVSS 8.8). Patched versions are available for File Station 5 5.5.6.4791 and later.

Technical ContextAI

This vulnerability is rooted in CWE-295 (Improper Certificate Validation), a common weakness in SSL/TLS implementations where applications fail to properly validate X.509 certificates during secure communications. File Station 5, Synology's web-based file management application, likely fails to verify certificate chains, check certificate expiration, validate hostname/CN matching, or properly handle self-signed or revoked certificates. This allows attackers on the network path to intercept encrypted communications using fraudulent certificates. The vulnerability exists in the application layer where File Station communicates with backend services or external systems, possibly during authentication, file transfer operations, or API communications. Affected CPE: cpe:2.3:a:synology:file_station_5:*:*:*:*:*:*:*:* (versions prior to 5.5.6.4791).