Executive Summary

CVE-2026-24720 is an uncontrolled resource allocation defect in File Station 6 that allows a remote attacker holding any valid user account to consume system resources without throttling, starving other systems and processes that depend on the same file service. In OT contexts where File Station instances serve as the staging point for historian exports, PLC project files, firmware images, and configuration backups, the physical criticality is the loss of file availability during the exact window an operator needs it.

Technical Exposure Breakdown

The vulnerable component is the File Station 6 application running on the underlying NAS platform. The weakness class is allocation of resources without limits or throttling, meaning the service accepts and processes requests without enforcing an upper bound on memory, connections, file handles, or worker threads tied to a single authenticated session.

The attack vector requires authentication. A remote attacker must first obtain a user account. In practice this lowers the bar considerably in OT environments because shared service accounts, default credentials left on commissioning, and reused engineering logins are common. Once authenticated, the attacker issues a volume of operations that the service queues or processes without backpressure. There is no need for a privileged account or for a separate code execution primitive. The denial condition arises directly from resource starvation.

The conditions for exploitation are straightforward: network reachability to the File Station service, one valid credential, and the ability to sustain request volume. No physical access is required. The vendor lists the fix in File Station 5 5.5.6.5243 and later, which is the corrective version for the affected line. No CVSS score is published at this time and the vulnerability is not currently in the known exploited vulnerability catalog.

OT Impact and Compliance Risk

The physical break here is not data corruption. It is availability denial of a file service that other systems, applications, and processes depend on. In a plant or substation environment, the failure modes are concrete. Historian batch exports that feed regulatory reporting stall. Engineering workstations cannot retrieve or push PLC and RTU project files during a maintenance window. Backup jobs that write configuration snapshots fail silently, leaving you without a clean restore point. If your incident response runbook stages recovery images on this device, the device itself becomes unavailable at the moment you need it most.

From a standards perspective, IEC 62443 availability and resource management requirements are directly implicated, since the control system supplier is expected to enforce resource limits to maintain service under load. For NERC CIP environments, a File Station device inside the electronic security perimeter that supports BES Cyber System backup and recovery falls under CIP-009 recovery planning, and a denial of that recovery asset is a defensible audit finding. Water utilities operating under AWIA 2018 risk and resilience obligations should treat a recovery file store outage as a documented resilience gap. Pipeline operators under TSA SD-02C should map this device against their critical cyber system inventory if it supports operational recovery or segmentation enforcement.

Compensating Controls

Patching to 5.5.6.5243 or later is the resolution, but in OT the upgrade window is often weeks or months out, so treat the following as the interim posture.

BreachSpider Intel

BreachSpider tracks CVE-2026-24720 and related file service exposures across OT asset inventories so operators can prioritize remediation against physical recovery dependencies rather than raw severity scores.