CVE-2019-7195

CRITICAL KEV RANSOMWARE NUCLEI

QNAP Photo Station - Path Traversal

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-7195 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added June 8, 2022, with confirmed use in ransomware campaigns. EIP tracks 2 public exploits from researchers including halilkirazkaya, Henry Huang, including a Metasploit module auxiliary/gather/qnap_lfi. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository provides a functional proof-of-concept for CVE-2019-7195, a path traversal vulnerability in QNAP Photo Station. The exploit demonstrates how an attacker can access system files (e.g., /etc/passwd) by manipulating file paths in API requests.

Description

This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.

Exploits (2)

github WORKING POC 4 stars
by halilkirazkaya · poc
https://github.com/halilkirazkaya/cve-poc-garage/tree/main/2019/CVE-2019-7195.md

The repository provides a functional proof-of-concept for CVE-2019-7195, a path traversal vulnerability in QNAP Photo Station. The exploit demonstrates how an attacker can access system files (e.g., /etc/passwd) by manipulating file paths in API requests.

Classification
Working Poc 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: QNAP Photo Station
No auth needed
Prerequisites: Network access to the target Photo Station instance
devstral-2 · analyzed Feb 27, 2026 Full analysis →
metasploit WORKING POC
by Henry Huang · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/qnap_lfi.rb

This Metasploit module exploits a local file inclusion (LFI) vulnerability in QNAP QTS and Photo Station, allowing unauthenticated attackers to read arbitrary files from the filesystem. It leverages the Photo Station API to traverse directories and retrieve sensitive files like /etc/shadow.

Classification
Working Poc 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: QNAP QTS (versions before build 20191206) and Photo Station (versions before 5.7.9)
No auth needed
Prerequisites: Network access to the QNAP device · Photo Station service running on port 8080
devstral-2 · analyzed Apr 16, 2026 Full analysis →

Nuclei Templates (1)

QNAP Photo Station - Path Traversal
CRITICALby s4e-io
Shodan: content-length:"580 "http server 1.0"" || http.title:"photo station" || http.title:"qnap"
FOFA: title="photo station" || title="qnap"

References (3)

Core 3

Scores

CVSS v3 9.8
EPSS 0.9411
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable yes
Technical Impact total

Details

CISA KEV 2022-06-08
VulnCheck KEV 2020-06-11
InTheWild.io 2020-06-09
ENISA EUVD EUVD-2019-16739
Ransomware Use Confirmed
CWE
CWE-22
Status published
Products (1)
qnap/photo_station < 6.0.3
Published Dec 05, 2019
KEV Added Jun 08, 2022
Tracked Since Feb 18, 2026