CVE-2025-29872 – This vulnerability in QNAP File Station 5 allow... (How to Fix)

Q: What is the severity of CVE-2025-29872?

CVE-2025-29872 has a CVSS score of 7.5 (HIGH). This vulnerability in QNAP File Station 5 allows authenticated attackers to exhaust system resources through uncontrolled resource allocation. Attackers with user accounts can prevent legitimate users and processes from accessing shared resources, potentially causing denial of service. All QNAP NAS devices running vulnerable File Station 5 versions are affected.

📋 TL;DR

This vulnerability in QNAP File Station 5 allows authenticated attackers to exhaust system resources through uncontrolled resource allocation. Attackers with user accounts can prevent legitimate users and processes from accessing shared resources, potentially causing denial of service. All QNAP NAS devices running vulnerable File Station 5 versions are affected.

💻 Affected Systems

Products:

QNAP File Station 5

Versions: All versions before 5.5.6.4847

Operating Systems: QTS, QuTS hero

Default Config Vulnerable: ⚠️ Yes

Notes: File Station is typically enabled by default on QNAP NAS devices. The vulnerability requires attacker authentication but does not require admin privileges.

📦 What is this software?

File Station by Qnap

View all CVEs affecting File Station →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service for File Station and potentially other services on the NAS, rendering the device unusable until reboot or manual intervention.

🟠

Likely Case

Degraded performance or temporary unavailability of File Station functionality for legitimate users.

🟢

If Mitigated

Minimal impact with proper access controls limiting user accounts and network segmentation in place.

🌐 Internet-Facing: HIGH - File Station is often exposed to the internet on QNAP devices, and authenticated exploitation is straightforward.

🏢 Internal Only: MEDIUM - Internal attackers with valid credentials could still cause disruption to shared resources.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires a valid user account but is technically simple once authenticated. No public exploit code is currently available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: File Station 5 version 5.5.6.4847 or later

Vendor Advisory: https://www.qnap.com/en/security-advisory/qsa-25-16

Restart Required: Yes

Instructions:

1. Log into QNAP NAS admin interface. 2. Go to App Center. 3. Check for updates. 4. Update File Station to version 5.5.6.4847 or later. 5. Reboot the NAS if prompted.

🔧 Temporary Workarounds

Disable File Station

all

Temporarily disable File Station service if immediate patching is not possible

Go to Control Panel > Applications > App Center, find File Station and click 'Disable'

Restrict Network Access

all

Limit File Station access to trusted networks only

Go to Control Panel > Network & File Services > Telnet/SSH, configure firewall rules to restrict access

🧯 If You Can't Patch

Implement strict access controls and limit user accounts with File Station access
Monitor system resource usage and set up alerts for abnormal File Station activity

🔍 How to Verify

Check if Vulnerable:

Check File Station version in App Center. If version is below 5.5.6.4847, the system is vulnerable.

Check Version:

ssh admin@nas_ip 'cat /etc/config/uLinux.conf | grep FileStation' or check via QNAP web interface

Verify Fix Applied:

Confirm File Station version is 5.5.6.4847 or higher in App Center after update.

📡 Detection & Monitoring

Log Indicators:

Unusually high resource consumption by File Station processes
Multiple failed resource allocation attempts in system logs

Network Indicators:

Abnormal number of File Station connections from single IP
Sustained high bandwidth usage to File Station port

SIEM Query:

source="qnap_nas" AND (process="FileStation" AND (resource_usage>90% OR connection_count>100))

📊 Metadata

CVE ID: CVE-2025-29872

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.12% exploit probability (30.9th percentile)

Published: June 6, 2025

Last Updated: June 18, 2025

🔗 References

https://www.qnap.com/en/security-advisory/qsa-25-16 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-29872, you might also want to check these: