CVE-2019-7192

CRITICAL KEV RANSOMWARE NUCLEI

QNAP Photo Station - Info Disclosure

Title source: llm

Description

This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.

Exploits (3)

nomisec WORKING POC 86 stars

by th3gundy · infoleak

https://github.com/th3gundy/CVE-2019-7192_QNAP_Exploit

View Code ZIP pw:eip

nomisec SCANNER 13 stars

by cycraft-corp · poc

https://github.com/cycraft-corp/cve-2019-7192-check

View Code ZIP pw:eip

metasploit WORKING POC

by Henry Huang · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/qnap_lfi.rb

View Code ZIP pw:eip

Nuclei Templates (1)

QNAP QTS and Photo Station 6.0.3 - Remote Command Execution

CRITICALVERIFIEDby DhiyaneshDK

Shodan:

Content-Length: 580 "http server 1.0" || http.title:"photo station" || http.title:"qnap" || content-length: 580 "http server 1.0"

FOFA: title="photo station" || title="qnap"

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html

[Vendor Advisory] https://www.qnap.com/zh-tw/security-advisory/nas-201911-25

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7192

Scores

CVSS v3 9.8

EPSS 0.9430

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-06-08

VulnCheck KEV 2020-06-11

InTheWild.io 2020-06-09

ENISA EUVD EUVD-2019-16736

Ransomware Use Confirmed

CWE

CWE-863

Status published

Products (1)

qnap/photo_station < 6.0.3

Published Dec 05, 2019

KEV Added Jun 08, 2022

Tracked Since Feb 18, 2026