cbcvebase.
CVE-2019-7192
published 2019-12-05

CVE-2019-7192: This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend…

PriorityP197critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
88.21%
99.7th percentile
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.

Affected

4 ranges
VendorProductVersion rangeFixed in
qnapphoto_station< 6.0.36.0.3
qnapphoto_station< 5.7.105.7.10
qnapphoto_station< 5.4.95.4.9
qnapphoto_station< 5.2.115.2.11

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /photo/p/api/album.php
urlGET /photo/slideshow.php?album=
urlPOST /photo/p/api/video.php
path./../../../../../etc/passwd
otherHTTP response header contains: video/subtitle
otherShodan query: Content-Length: 580 "http server 1.0"
sigma
regex match on HTTP response body: admin:.*:0:0:
  • Successful exploitation is confirmed by the HTTP response body matching 'admin:.*:0:0:' (passwd file content) and the response header containing 'video/subtitle' with HTTP 200.
  • QNAP Photo Station instances can be fingerprinted via Shodan using the banner 'Content-Length: 580 "http server 1.0"' or HTTP title 'photo station' / 'qnap'.
  • The HTTP server on vulnerable QNAP devices runs as root, enabling access to sensitive files such as SSH private keys and password hashes via the LFI.
  • CVE-2019-7192 was referenced in threat actor operational notes alongside CVE-2023-27532 and CVE-2024-40711, indicating active chaining with Veeam vulnerabilities in ransomware pre-staging campaigns.
  • Threat actor infrastructure at 212.11.64.250:9999 exposed directories including CVE exploit code, FortiGate configuration files, Nuclei scanning templates, and Veeam credential extraction tools — monitor for outbound connections to this IP.
  • ·The Nuclei template for CVE-2019-7192 uses a dynamic album_id extracted from the first response and an access_code extracted from the second response; static replay of the three-step request chain will fail without these dynamic values.
  • ·The Metasploit LFI module has been tested only on QTS 4.3.3 (unknown Photo Station version) and QTS 4.3.6 with Photo Station 5.7.9; behaviour on other versions is unverified.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.