CVE-2019-7194

CRITICAL KEV RANSOMWARE NUCLEI

QNAP Photo Station - Path Traversal

Title source: llm

Description

This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.

Exploits (1)

metasploit WORKING POC

by Henry Huang · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/qnap_lfi.rb

View Code ZIP pw:eip

Nuclei Templates (1)

QNAP Photo Station < 6.0.3 - Remote Code Execution

CRITICALVERIFIEDby x-stp

Shodan: content-length:"580 "http server 1.0"" || http.title:"photo station" || http.title:"qnap"

FOFA: title="photo station" || title="qnap"

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html

[Vendor Advisory] https://www.qnap.com/zh-tw/security-advisory/nas-201911-25

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7194

Scores

CVSS v3 9.8

EPSS 0.9394

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-06-08

VulnCheck KEV 2020-06-11

InTheWild.io 2020-06-09

ENISA EUVD EUVD-2019-16738

Ransomware Use Confirmed

CWE

CWE-22

Status published

Products (1)

qnap/photo_station < 6.0.3

Published Dec 05, 2019

KEV Added Jun 08, 2022

Tracked Since Feb 18, 2026