CVE-2019-7195

CRITICAL KEV RANSOMWARE NUCLEI

QNAP Photo Station - Path Traversal

Title source: llm

Description

This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.

Exploits (2)

github WORKING POC 4 stars

by halilkirazkaya · poc

https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2019/CVE-2019-7195.md

View Code ZIP pw:eip

metasploit WORKING POC

by Henry Huang · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/qnap_lfi.rb

View Code ZIP pw:eip

Nuclei Templates (1)

QNAP Photo Station - Path Traversal

CRITICALby s4e-io

Shodan: content-length:"580 "http server 1.0"" || http.title:"photo station" || http.title:"qnap"

FOFA: title="photo station" || title="qnap"

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html

[Vendor Advisory] https://www.qnap.com/zh-tw/security-advisory/nas-201911-25

[US Government Resource] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7195

Scores

CVSS v3 9.8

EPSS 0.9411

EPSS Percentile 99.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CISA KEV 2022-06-08

VulnCheck KEV 2020-06-11

InTheWild.io 2020-06-09

ENISA EUVD EUVD-2019-16739

Ransomware Use Confirmed

CWE

CWE-22

Status published

Products (1)

qnap/photo_station < 6.0.3

Published Dec 05, 2019

KEV Added Jun 08, 2022

Tracked Since Feb 18, 2026