CVE-2019-7192

CRITICAL KEV RANSOMWARE NUCLEI

QNAP Photo Station - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-7192 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 8, 2022, with confirmed use in ransomware campaigns. EIP tracks 3 public exploits from researchers including th3gundy, cycraft-corp, Henry Huang, including a Metasploit module auxiliary/gather/qnap_lfi. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit targets CVE-2019-7192, a pre-authentication root RCE vulnerability in QNAP NAS devices. It chains multiple vulnerabilities to read sensitive system files like /etc/passwd, /etc/shadow, and SSH private keys by abusing session handling and path traversal.

Description

This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.

Exploits (3)

nomisec WORKING POC 86 stars
by th3gundy · infoleak
https://github.com/th3gundy/CVE-2019-7192_QNAP_Exploit

This exploit targets CVE-2019-7192, a pre-authentication root RCE vulnerability in QNAP NAS devices. It chains multiple vulnerabilities to read sensitive system files like /etc/passwd, /etc/shadow, and SSH private keys by abusing session handling and path traversal.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: QNAP NAS (multiple versions, pre-2019 patches)
No auth needed
Prerequisites: Network access to vulnerable QNAP NAS device · Photo Station service enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec SCANNER 13 stars
by cycraft-corp · poc
https://github.com/cycraft-corp/cve-2019-7192-check

This repository contains a Python-based scanner to check for QNAP NAS vulnerabilities (CVE-2019-7192 to CVE-2019-7195) by analyzing version and date information from the target device. It does not exploit the vulnerabilities but identifies potentially vulnerable systems.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: QNAP NAS (versions 6.x, 5.7.x, 5.4.x, 5.2.x)
No auth needed
Prerequisites: List of target IPs and ports
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC
by Henry Huang · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/qnap_lfi.rb

This Metasploit module exploits a local file inclusion (LFI) vulnerability in QNAP QTS and Photo Station, allowing unauthenticated attackers to download sensitive files such as /etc/shadow. It automates the retrieval of album IDs and access codes to perform the LFI attack.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: QNAP QTS (versions before build 20191206) and Photo Station (versions before 5.7.9)
No auth needed
Prerequisites: Network access to the QNAP device on port 8080 · Photo Station service enabled
devstral-2 · analyzed Apr 16, 2026 Full analysis →

Nuclei Templates (1)

QNAP QTS and Photo Station 6.0.3 - Remote Command Execution
CRITICALVERIFIEDby DhiyaneshDK
Shodan: Content-Length: 580 "http server 1.0" || http.title:"photo station" || http.title:"qnap" || content-length: 580 "http server 1.0"
FOFA: title="photo station" || title="qnap"

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.9430
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-06-08
VulnCheck KEV 2020-06-11
InTheWild.io 2020-06-09
ENISA EUVD EUVD-2019-16736
Ransomware Use Confirmed
CWE
CWE-863
Status published
Products (1)
qnap/photo_station < 6.0.3
Published Dec 05, 2019
KEV Added Jun 08, 2022
Tracked Since Feb 18, 2026