cbcvebase.
CVE-2022-27593
published 2022-09-08

CVE-2022-27593: An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an…

PriorityP196critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-09-29
Exploited in the wild
EPSS
87.91%
99.7th percentile
An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later

Affected

10 ranges
VendorProductVersion rangeFixed in
qnapphoto_station< 5.2.145.2.14
qnapphoto_station< 5.4.155.4.15
qnapphoto_station< 5.7.185.7.18
qnapphoto_station< 6.0.226.0.22
qnapphoto_station< 6.1.26.1.2
qnap_systems_incphoto_station>= unspecified < 6.1.26.1.2
qnap_systems_incphoto_station>= unspecified < 6.0.226.0.22
qnap_systems_incphoto_station>= unspecified < 5.7.185.7.18
qnap_systems_incphoto_station>= unspecified < 5.4.155.4.15
qnap_systems_incphoto_station>= unspecified < 5.2.145.2.14

Detection & IOCsextracted from sources · hover to see the quote

url/photo/combine.php?type=javascript&g=core-r7rules/../../../hello.php.
  • Exploit request targets /photo/combine.php with a path traversal payload in the 'g' parameter using 'core-r7rules/../../../' to achieve local file inclusion on QNAP Photo Station.
  • Successful exploitation returns HTTP 200 with response body containing '!function(p,qa){', 'module.exports', and 'application/javascript' — all three must be present.
  • Shodan/FOFA fingerprinting for exposed QNAP Photo Station instances: search for title 'QNAP', 'photo station', or content-length 580 with 'http server 1.0'.
  • CVE-2022-27593 was actively exploited in the DeadBolt ransomware campaign targeting QNAP NAS devices with internet exposure.
  • The vulnerability is exploitable only on QNAP NAS devices running Photo Station with internet exposure; prioritize detection on internet-facing QNAP instances.
  • ·The nuclei template uses a single GET request for detection; the path traversal payload includes a trailing dot on the filename ('hello.php.') which may be significant for bypassing extension filters on the target.
  • ·Fixed versions vary by QTS branch; ensure version checks account for all affected branches (QTS 4.2.6 through 5.0.1) when scoping detection or patching.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vulncheck10.0CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.