CVE-2022-27593
published 2022-09-08CVE-2022-27593: An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an…
PriorityP196critical9.1CVSS 3.1
AVNACLPRNUINSUCNIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-09-29
Exploited in the wild
EPSS
87.91%
99.7th percentile
An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| qnap | photo_station | < 5.2.14 | 5.2.14 |
| qnap | photo_station | < 5.4.15 | 5.4.15 |
| qnap | photo_station | < 5.7.18 | 5.7.18 |
| qnap | photo_station | < 6.0.22 | 6.0.22 |
| qnap | photo_station | < 6.1.2 | 6.1.2 |
| qnap_systems_inc | photo_station | >= unspecified < 6.1.2 | 6.1.2 |
| qnap_systems_inc | photo_station | >= unspecified < 6.0.22 | 6.0.22 |
| qnap_systems_inc | photo_station | >= unspecified < 5.7.18 | 5.7.18 |
| qnap_systems_inc | photo_station | >= unspecified < 5.4.15 | 5.4.15 |
| qnap_systems_inc | photo_station | >= unspecified < 5.2.14 | 5.2.14 |
Detection & IOCsextracted from sources · hover to see the quote
url/photo/combine.php?type=javascript&g=core-r7rules/../../../hello.php.
- →Exploit request targets /photo/combine.php with a path traversal payload in the 'g' parameter using 'core-r7rules/../../../' to achieve local file inclusion on QNAP Photo Station.
- →Successful exploitation returns HTTP 200 with response body containing '!function(p,qa){', 'module.exports', and 'application/javascript' — all three must be present.
- →Shodan/FOFA fingerprinting for exposed QNAP Photo Station instances: search for title 'QNAP', 'photo station', or content-length 580 with 'http server 1.0'.
- →CVE-2022-27593 was actively exploited in the DeadBolt ransomware campaign targeting QNAP NAS devices with internet exposure. ↗
- →The vulnerability is exploitable only on QNAP NAS devices running Photo Station with internet exposure; prioritize detection on internet-facing QNAP instances. ↗
- ·The nuclei template uses a single GET request for detection; the path traversal payload includes a trailing dot on the filename ('hello.php.') which may be significant for bypassing extension filters on the target.
- ·Fixed versions vary by QTS branch; ensure version checks account for all affected branches (QTS 4.2.6 through 5.0.1) when scoping detection or patching. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vulncheck10.0CRITICAL
cisa9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c84w-pfmp-9cxg: An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station
ghsa_unreviewed·2022-09-09
CVE-2022-27593 [CRITICAL] CWE-610 GHSA-c84w-pfmp-9cxg: An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station
An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later
VulnCheck
QNAP Photo Station Externally Controlled Reference Vulnerability
vulncheck·2022·CVSS 10.0
CVE-2022-27593 [CRITICAL] CWE-610 QNAP Photo Station Externally Controlled Reference Vulnerability
QNAP Photo Station Externally Controlled Reference Vulnerability
Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign.
Affected: QNAP Photo Station
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.qnap.com/en-us/security-advisory/qsa-22-24; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://www.ivanti.com/resources/v/doc/pr-survey-report/ransomware-quarterly-indexreport_q2-q3; https://cisa.gov/news-events/cybersecurity-advisories/aa23-215a; https://dashbo
CISA
QNAP Photo Station Externally Controlled Reference Vulnerability
cisa·2022-09-08·CVSS 9.1
CVE-2022-27593 [CRITICAL] CWE-610 QNAP Photo Station Externally Controlled Reference Vulnerability
Vulnerability: QNAP Photo Station Externally Controlled Reference Vulnerability
Affected: QNAP Photo Station
Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign.
Required Action: Apply updates per vendor instructions.
Notes: https://www.qnap.com/en/security-advisory/qsa-22-24; https://nvd.nist.gov/vuln/detail/CVE-2022-27593
Remediation Due Date: 2022-09-29
No detection rules found.
Nuclei
QNAP QTS Photo Station External Reference - Local File Inclusion
nuclei·CVSS 9.1
CVE-2022-27593 [CRITICAL] QNAP QTS Photo Station External Reference - Local File Inclusion
QNAP QTS Photo Station External Reference - Local File Inclusion
QNAP QTS Photo Station External Reference is vulnerable to local file inclusion via an externally controlled reference to a resource vulnerability. If exploited, this could allow an attacker to modify system files. The vulnerability is fixed in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later.
Template:
id: CVE-2022-27593
info:
name: QNAP QTS Photo Station External Reference - Local File Inclusion
author: allenwest24
severity: critical
description: |
QNAP QTS Photo Station External Reference is vulnerable to local file inclusion via an
Securelist
IoT threats in 2023
blogs_securelist·2023-09-21
IoT threats in 2023
Table of Contents
- Attack vectors
- Dark web services: DDoS attacks, botnets, and zero-day IoT vulnerabilities
- Objectives and types of malware that attacks the IoT
- IoT malware: competition and persistence
- Other threats stemming from the lack of IoT device security
- Conclusion
Authors
- Vitaly Morgunov
- Yaroslav Shmelev
- Kaspersky Security Services
- Kaspersky ICS CERT
IoT devices (routers, cameras, NAS boxes, and smart home components) multiply every year. Statista portal predicts their number will exceed 29 billion by 2030. As connected device numbers increase, so does the need for protection against various threats. The first-ever large-scale malware attacks on IoT devices were recorded back in 2008, and their number has only been growing ever since. We conducted an analys
Securelist
Overview of IoT threats in 2023
blogs_securelist·2023-09-21
Overview of IoT threats in 2023
Table of Contents
Attack vectors
Dark web services: DDoS attacks, botnets, and zero-day IoT vulnerabilities
Objectives and types of malware that attacks the IoT
DDoS botnets
Ransomware
Miners
DNS changer
Proxy bots
IoT malware: competition and persistence
Other threats stemming from the lack of IoT device security
Conclusion
Authors
Vitaly Morgunov
Yaroslav Shmelev
Kaspersky Security Services
Kaspersky ICS CERT
IoT devices (routers, cameras, NAS boxes, and smart home components) multiply every year. Statista portal predicts their number will exceed 29 billion by 2030. As connected device numbers increase, so does the need for protection against various threats. The first-ever large-scale malware attacks on IoT devices were recorded back in 2008, and their number has only b
Tenable
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
blogs_tenable·2023-08-03
AA23-215A: 2022's Top Routinely Exploited Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Greynoiseio
Battling Ransomware One Tag At A Time
blogs_greynoiseio
Battling Ransomware One Tag At A Time
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
2022-09-08
Published
2022-09-08
Added to CISA KEV
Exploited in the wild