Cyber Resilience

CVE-2019-7192

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 05 December 2019

Published
05 December 2019
Modified
27 October 2025
KEV Added
08 June 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9430 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-7192 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Qnap Photo Station. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-7192 is an improper access control vulnerability, tracked under CWE-863, that affects QNAP Photo Station. It received a CVSS v3.1 base score of 9.8 and permits remote attackers to obtain unauthorized access to the system without requiring authentication.

The flaw can be exploited over the network by unauthenticated attackers to gain unauthorized access, which in practice has been shown to enable remote command execution on affected QNAP QTS installations running vulnerable versions of Photo Station.

QNAP security advisories direct users to update Photo Station to the latest available versions to address the issue. The vulnerability appears in CISA's catalog of known exploited vulnerabilities, and public proof-of-concept code for remote command execution has been published.

EU & UK References

Vulnerability details

This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qnap
photo station
≤ 6.0.3 · ≤ 5.7.10 · ≤ 5.4.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access control policies to block unauthenticated remote access that CVE-2019-7192 exploits.

prevent

Requires timely application of vendor patches that QNAP states are the fix for the Photo Station flaw.

prevent

Mandates identification and authentication prior to granting system access, directly countering the missing-authentication vector.

References