CVE-2025-47208

02.01.2026, 15:16

An allocation of resources without limits or throttling vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource.

We have already fixed the vulnerability in the following versions:
QTS 5.2.6.3195 build 20250715 and later
QuTS hero h5.2.6.3195 build 20250715 and later

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
qnap	CNA	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 29%

Vendor	Product	Version
qnap	qts	5.2.0.2737:build_20240417
qnap	qts	5.2.0.2744:build_20240424
qnap	qts	5.2.0.2782:build_20240601
qnap	qts	5.2.0.2802:build_20240620
qnap	qts	5.2.0.2823:build_20240711
qnap	qts	5.2.0.2851:build_20240808
qnap	qts	5.2.0.2860:build_20240817
qnap	qts	5.2.1.2930:build_20241025
qnap	qts	5.2.2.2950:build_20241114
qnap	qts	5.2.3.3006:build_20250108
qnap	qts	5.2.4.3070:build_20250312
qnap	qts	5.2.4.3079:build_20250321
qnap	qts	5.2.4.3092:build_20250403
qnap	qts	5.2.5.3145:build_20250526
qnap	qts	5.2.6.3195:build_20250715
qnap	qts	5.2.6.3229:build_20250818

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-770 - Allocation of Resources Without Limits or Throttling
The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

Vulnerability Media Exposure

[GERMAN] QNAP NAS: Mehrere Schwachstellen
Ein Angreifer kann diese Schwachstellen ausnutzen, um einen Denial of Service zu verursachen, Informationen offenzulegen und den Speicher zu korrumpieren.
Published: 2026-01-04T23:00:00+00:00

References

https://www.qnap.com/en/security-advisory/qsa-25-50