CVE-2019-7192
published 2019-12-05CVE-2019-7192: This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend…
PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
88.21%
99.7th percentile
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qnap | photo_station | < 6.0.3 | 6.0.3 |
| qnap | photo_station | < 5.7.10 | 5.7.10 |
| qnap | photo_station | < 5.4.9 | 5.4.9 |
| qnap | photo_station | < 5.2.11 | 5.2.11 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
regex match on HTTP response body: admin:.*:0:0:
- →Successful exploitation is confirmed by the HTTP response body matching 'admin:.*:0:0:' (passwd file content) and the response header containing 'video/subtitle' with HTTP 200. ↗
- →QNAP Photo Station instances can be fingerprinted via Shodan using the banner 'Content-Length: 580 "http server 1.0"' or HTTP title 'photo station' / 'qnap'. ↗
- →The HTTP server on vulnerable QNAP devices runs as root, enabling access to sensitive files such as SSH private keys and password hashes via the LFI. ↗
- →CVE-2019-7192 was referenced in threat actor operational notes alongside CVE-2023-27532 and CVE-2024-40711, indicating active chaining with Veeam vulnerabilities in ransomware pre-staging campaigns. ↗
- →Threat actor infrastructure at 212.11.64.250:9999 exposed directories including CVE exploit code, FortiGate configuration files, Nuclei scanning templates, and Veeam credential extraction tools — monitor for outbound connections to this IP. ↗
- ·The Nuclei template for CVE-2019-7192 uses a dynamic album_id extracted from the first response and an access_code extracted from the second response; static replay of the three-step request chain will fail without these dynamic values. ↗
- ·The Metasploit LFI module has been tested only on QTS 4.3.3 (unknown Photo Station version) and QTS 4.3.6 with Photo Station 5.7.9; behaviour on other versions is unverified. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-9p75-w4p8-7gvx: This improper access control vulnerability allows remote attackers to gain unauthorized access to the system
ghsa_unreviewed·2022-05-24
CVE-2019-7192 [HIGH] CWE-269 GHSA-9p75-w4p8-7gvx: This improper access control vulnerability allows remote attackers to gain unauthorized access to the system
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
VulnCheck
QNAP Photo Station Improper Access Control Vulnerability
vulncheck·2019·CVSS 9.8
CVE-2019-7192 [CRITICAL] CWE-863 QNAP Photo Station Improper Access Control Vulnerability
QNAP Photo Station Improper Access Control Vulnerability
QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system.
Affected: QNAP Photo Station
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.cyber.nj.gov/alerts-advisories/ech0raix-ransomware-targets-qnap-devices-in-recent-campaign; https://cybersecurityworks.com/howdymanage/uploads/file/ransomware-_-2022-spotlight-report_compressed.pdf; https://www.cisa.gov/uscert/ncas/alerts/aa22-158a; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cisa.gov/news-events/cybersecurity-advisories/aa22-158a; https://dashboard.shad
CISA
QNAP Photo Station Improper Access Control Vulnerability
cisa·2022-06-08·CVSS 9.8
CVE-2019-7192 [CRITICAL] CWE-863 QNAP Photo Station Improper Access Control Vulnerability
Vulnerability: QNAP Photo Station Improper Access Control Vulnerability
Affected: QNAP Photo Station
QNAP NAS devices running Photo Station contain an improper access control vulnerability allowing remote attackers to gain unauthorized access to the system.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2019-7192
Remediation Due Date: 2022-06-22
No detection rules found.
Nuclei
QNAP Photo Station - Path Traversal
nuclei·CVSS 9.8
CVE-2019-7195 [CRITICAL] QNAP Photo Station - Path Traversal
QNAP Photo Station - Path Traversal
QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
Template:
id: CVE-2019-7195
info:
name: QNAP Photo Station - Path Traversal
author: s4e-io
severity: critical
description: |
QNAP devices running Photo Station contain an external control of file name or path vulnerability allowing remote attackers to access or modify system files.
impact: |
Unauthenticated attackers can exploit path traversal to access or modify system files, potentially reading sensitive configuration files and credentials.
remediation: |
Upgrade to QNAP Photo Station version that addresses this vulnerability or apply vendor-provided patches.
reference:
- https://cycrafttechno
Nuclei
QNAP QTS and Photo Station 6.0.3 - Remote Command Execution
nuclei·CVSS 9.8
CVE-2019-7192 [CRITICAL] QNAP QTS and Photo Station 6.0.3 - Remote Command Execution
QNAP QTS and Photo Station 6.0.3 - Remote Command Execution
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
Template:
id: CVE-2019-7192
info:
name: QNAP QTS and Photo Station 6.0.3 - Remote Command Execution
author: DhiyaneshDK
severity: critical
description: |
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
impact: |
Successful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the target system.
remediation: |
Apply the latest security p
Metasploit
QNAP QTS and Photo Station Local File Inclusion
metasploit
QNAP QTS and Photo Station Local File Inclusion
QNAP QTS and Photo Station Local File Inclusion
This module exploits a local file inclusion in QNAP QTS and Photo Station that allows an unauthenticated attacker to download files from the QNAP filesystem. Because the HTTP server runs as root, it is possible to access sensitive files, such as SSH private keys and password hashes. This module has been tested on QTS 4.3.3 (unknown Photo Station version) and QTS 4.3.6 with Photo Station 5.7.9.
http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.htmlhttps://www.qnap.com/zh-tw/security-advisory/nas-201911-25http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.htmlhttps://www.qnap.com/zh-tw/security-advisory/nas-201911-25https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7192
2019-12-05
Published
2022-06-08
Added to CISA KEV
Exploited in the wild