QNAP QTS and QuTS hero Resource Allocation Vulnerability Allowing Denial-of-Service

A vulnerability has been identified in multiple versions of QNAP's operating systems, QTS and QuTS hero, that allows for resource allocation without limits or throttling. This issue affects several different versions and ranges within QTS 5.2.x and QuTS hero h5.2.x and h5.3.x. If a remote attacker gains access to an administrator account, they can exploit this vulnerability to monopolize resources, preventing other systems, applications, or processes from accessing the same type of resource. This could lead to a denial-of-service condition on the affected system.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition, where other systems, applications, or processes are unable to access the same type of resource, potentially leading to disruptions in normal operations.

Remediation

QNAP has released patches for this vulnerability in QTS 5.2.7.3256 build 20250913 and later, as well as in QuTS hero h5.2.7.3256 build 20250913 and later, and QuTS hero h5.3.1.3250 build 20250912 and later. Users are advised to update their systems to the latest version. Instructions for updating QTS or QuTS hero are available on the QNAP website.