CVE-2026-24720

N/A

An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability ...

Affects 0 products across 1 vendor.

CVSS v45.3
EPSS0.3%
Percentile20th
PatchUnknown
CWE Weakness Definitions
CWE-770: Allocation of Resources Without Limits or Throttling

Software allocates resources without imposing limits, allowing attackers to exhaust system capacity.

◆ SAGE Intelligence — CITED Relevance Research Team

QNAP File Station 6 contains a resource exhaustion vulnerability that allows an authenticated remote attacker to monopolize system resources, effectively denying access to other users and processes. An attacker who has obtained any valid user account can exploit this flaw to cause a denial-of-service condition affecting the file storage system. In OT environments where QNAP NAS devices are used for historian data storage, backup, or file sharing between engineering workstations, this could disrupt access to critical operational data and indirectly impact process visibility.

Is this CVE in your environment?

BreachSpider monitors your ICS/OT environment for vulnerabilities like this one. No agents or network access required. Free to start.

Check My Environment →
Frequently Asked Questions
What is CVE-2026-24720?
QNAP File Station 6 contains a resource exhaustion vulnerability that allows an authenticated remote attacker to monopolize system resources, effectively denying access to other users and processes. An attacker who has obtained any valid user account can exploit this flaw to cause a denial-of-service condition affecting the file storage system. In OT environments where QNAP NAS devices are used for historian data storage, backup, or file sharing between engineering workstations, this could disru
Is CVE-2026-24720 actively exploited?
No confirmed active exploitation of CVE-2026-24720 as of 2026-06-24.
How do I remediate CVE-2026-24720?
Update to File Station 5 5.5.6.5243 or later. Patch introduces resource allocation limits and throttling controls within File Station to prevent authenticated users from exhausting system resources and causing denial of service to other users and processes. Advisory: https://www.qnap.com/en/security-advisory/qsa-2026-24720
What systems are affected by CVE-2026-24720?
CVE-2026-24720 affects: Qnap.
Vulnerability Details
CVE IDCVE-2026-24720
Published2026-06-10
Last Modified2026-06-10
ICS Relevance70%
Weakness (CWE)
SourceNVD
Official Description

An allocation of resources without limits or throttling vulnerability has been reported to affect File Station 6. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: File Station 5 5.5.6.5243 and later

Source: NIST NVD / MITRE CVE Database

Affected Products
VendorProductFixed Version
Qnap —
Remediation

Fixed Version: File Station 5 5.5.6.5243

Patch introduces resource allocation limits and throttling controls within File Station to prevent authenticated users from exhausting system resources and causing denial of service to other users and processes.

View Vendor Advisory →
Threat Intelligence
● Threat Intelligence Validated: July 2026 | Threat Age: 32 Days
CISA KEVNot in KEV catalog
Public ExploitNot confirmed
PoC CodeNot confirmed
● Virtual Patch — CITED Relevance SAGE Engine LOW CONFIDENCE

Deploy rate-limiting rules on perimeter firewalls and reverse proxies to restrict the number of simultaneous or rapid HTTP/HTTPS requests per authenticated session to QNAP File Station ports (default 443, 8080, 8443). Block all direct internet access to QNAP management interfaces and enforce network segmentation so only authorized OT workstations can reach the NAS. Deploy at network perimeter and inter-VLAN firewall between IT/OT zones.

No reliable network detection signature exists for this vulnerability class — apply the compensating controls above and the vendor patch. SAGE only publishes a network rule when a concrete on-the-wire signature can be grounded in the advisory.

Virtual patch generated by CITED Relevance SAGE. Validate in isolated environment before production deployment. Compensating control only - does not replace vendor patch.

Related CVEs affecting Qnap
CVE-2017-7876 10.0 This command injection vulnerability in QTS allows attackers to run arbitrary... CVE-2024-32766 10.0 An OS command injection vulnerability has been reported to affect several QNA... CVE-2024-32764 9.9 A missing authentication for critical function vulnerability has been reporte... CVE-2017-17033 9.8 A buffer overflow vulnerability in password function in QNAP QTS version 4.2.... CVE-2017-17028 9.8 A buffer overflow vulnerability in external device function in QNAP QTS versi...
View all Qnap CVEs →

ICS/OT Vulnerability Intelligence for Your Environment

BreachSpider monitors 353,228 CVEs across ICS/OT vendors. SAGE-enriched alerts with virtual patches, NERC-CIP mapping, and PSIRT contacts delivered to your SIEM in minutes.

Join free →