⚠ Actively exploited in ransomware campaigns

This vulnerability is on the CISA Known Exploited Vulnerabilities list and has been used in known ransomware attacks. CISA required action: Apply updates per vendor instructions.. Due date: 2022-06-22.

CVE-2019-7193 — Improper Input Validation in Qnap QTS

CWE-20 — Improper Input Validation5 documents5 sources

Severity

9.8CRITICALNVD

EPSS

25.8%

top 3.74%

CISA KEV

KEVRansomware

Added 2022-06-08

Due 2022-06-22

Exploit

Exploited in wild

Active exploitation observed

Affected products

Qnap QTS

Timeline

PublishedDec 5

KEV addedJun 8

KEV dueJun 22

CISA Required Action: Apply updates per vendor instructions.

Description

This improper input validation vulnerability allows remote attackers to inject arbitrary code to the system. To fix the vulnerability, QNAP recommend updating QTS to their latest versions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDqnap/qts16 versions+15

🔴Vulnerability Details

GHSA

GHSA-964w-hfj4-c2g7: This improper input validation vulnerability allows remote attackers to inject arbitrary code to the system↗2022-05-24

▶

CVEList

CVE-2019-7193: This improper input validation vulnerability allows remote attackers to inject arbitrary code to the system↗2019-12-05

▶

VulnCheck

QNAP QTS Improper Input Validation Vulnerability↗2019

▶

📋Vendor Advisories

CISA

QNAP QTS Improper Input Validation Vulnerability↗2022-06-08

▶