SB2025060944 - Multiple vulnerabilities in QNAP File Station 5

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2025060944

SB2025060944 - Multiple vulnerabilities in QNAP File Station 5

Published: June 9, 2025

Security Bulletin ID SB2025060944
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 10
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 90% Low 10%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 10 vulnerabilities.


1) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-22484)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to allocation of resources without limits or throttling. A remote user can cause a denial of service condition on the target system.


2) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-29872)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to allocation of resources without limits or throttling. A remote user can cause a denial of service condition on the target system.


3) NULL pointer dereference (CVE-ID: CVE-2025-22490)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote user can pass specially crafted data to the application and perform a denial of service (DoS) attack.


4) NULL pointer dereference (CVE-ID: CVE-2025-29873)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote user can pass specially crafted data to the application and perform a denial of service (DoS) attack.


5) NULL pointer dereference (CVE-ID: CVE-2025-29876)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.


6) NULL pointer dereference (CVE-ID: CVE-2025-29877)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote user can pass specially crafted data to the application and perform a denial of service (DoS) attack.


7) Out-of-bounds read (CVE-ID: CVE-2025-29871)

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition. A local administrator can trigger an out-of-bounds read error and read contents of memory on the system.


8) Path traversal (CVE-ID: CVE-2025-33035)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and read arbitrary files on the system.


9) Improper Certificate Validation (CVE-ID: CVE-2025-30279)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper certificate validation. A remote user can perform a denial of service (DoS) attack.


10) Improper Certificate Validation (CVE-ID: CVE-2025-33031)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper certificate validation. A remote user can perform a denial of service (DoS) attack.


Remediation

Install update from vendor's website.

References