CVE-2025-54155 – This vulnerability in QNAP File Station 5 allow... (How to Fix)

Q: What is the severity of CVE-2025-54155?

CVE-2025-54155 has a CVSS score of 4.9 (MEDIUM). This vulnerability in QNAP File Station 5 allows a remote attacker with administrator credentials to allocate system resources without limits, potentially causing denial of service by starving other processes of those resources. It affects all QNAP NAS devices running vulnerable versions of File Station 5. The vulnerability requires administrative access to exploit.

📋 TL;DR

This vulnerability in QNAP File Station 5 allows a remote attacker with administrator credentials to allocate system resources without limits, potentially causing denial of service by starving other processes of those resources. It affects all QNAP NAS devices running vulnerable versions of File Station 5. The vulnerability requires administrative access to exploit.

💻 Affected Systems

Products:

QNAP File Station 5

Versions: All versions before 5.5.6.5018

Operating Systems: QTS, QuTS hero

Default Config Vulnerable: ⚠️ Yes

Notes: Affects QNAP NAS devices with File Station 5 enabled. Requires administrator account access to exploit.

📦 What is this software?

File Station by Qnap

View all CVEs affecting File Station →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system resource exhaustion leading to denial of service, potentially affecting all services on the NAS device and requiring physical reboot.

🟠

Likely Case

Degraded performance or temporary unavailability of File Station and related services until resource consumption stops.

🟢

If Mitigated

Limited impact due to existing resource limits or monitoring catching abnormal consumption patterns.

🌐 Internet-Facing: MEDIUM - Requires admin credentials but internet-facing NAS devices are common targets.

🏢 Internal Only: MEDIUM - Insider threat or compromised admin account could exploit this internally.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW - Simple resource exhaustion attack once admin access obtained.

Exploitation requires administrative credentials. No public exploit code known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: File Station 5 version 5.5.6.5018 or later

Vendor Advisory: https://www.qnap.com/en/security-advisory/qsa-26-03

Restart Required: Yes

Instructions:

1. Log into QNAP NAS web interface as admin. 2. Go to App Center. 3. Check for updates. 4. Update File Station 5 to version 5.5.6.5018 or later. 5. Restart the NAS if prompted.

🔧 Temporary Workarounds

Disable File Station 5

all

Temporarily disable File Station 5 service if not required.

Log into QNAP web interface > Control Panel > Applications > App Center > Find File Station 5 > Click 'Stop'

Restrict admin access

all

Limit administrative accounts and implement strong authentication controls.

Control Panel > Privilege > Users > Review admin accounts > Remove unnecessary admin privileges

🧯 If You Can't Patch

Implement strict monitoring for abnormal resource consumption patterns
Enforce principle of least privilege and review all administrative accounts

🔍 How to Verify

Check if Vulnerable:

Check File Station version in App Center. If version is below 5.5.6.5018, system is vulnerable.

Check Version:

ssh admin@nas_ip 'cat /etc/config/uLinux.conf | grep app_version' or check via web interface App Center

Verify Fix Applied:

Verify File Station version shows 5.5.6.5018 or higher in App Center.

📡 Detection & Monitoring

Log Indicators:

Unusually high resource consumption by File Station processes
Multiple admin login attempts followed by resource spikes

Network Indicators:

Increased admin interface traffic preceding resource exhaustion

SIEM Query:

source="qnap_nas" (process="filestation" AND (resource_usage>90% OR memory_usage>90%))

📊 Metadata

CVE ID: CVE-2025-54155

CVSS v3 Score: 4.9 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 0.03% exploit probability (8.4th percentile)

Published: February 11, 2026

Last Updated: February 12, 2026

🔗 References

https://www.qnap.com/en/security-advisory/qsa-26-03 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54155, you might also want to check these: