Cyber Resilience

CVE-2019-7194

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoCRansomware-linked

Published: 05 December 2019

Published
05 December 2019
Modified
27 October 2025
KEV Added
08 June 2022
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.9394 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-7194 is a critical-severity Path Traversal (CWE-22) vulnerability in Qnap Photo Station. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-7194 is an external control of file name or path vulnerability, also known as a path traversal issue under CWE-22, that affects QNAP Photo Station. The flaw permits unauthorized manipulation of file paths and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors with no required authentication or user interaction and full impact on confidentiality, integrity, and availability.

Remote attackers can exploit the weakness over the network to access or modify arbitrary system files. Public exploit references describe successful remote command execution against QNAP QTS installations running vulnerable versions of Photo Station, such as 6.0.3, enabling complete system compromise without credentials.

QNAP security advisories direct users to update Photo Station to the latest available versions as the primary remediation. The vulnerability appears in CISA's catalog of known exploited vulnerabilities, confirming observed real-world attacks.

EU & UK References

Vulnerability details

This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.

CWE(s)
KEV Date Added
08 June 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qnap
photo station
≤ 6.0.3 · ≤ 5.7.10 · ≤ 5.4.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces validation of file paths and names supplied by remote users, blocking the path-traversal sequences that enable arbitrary file access in Photo Station.

prevent

Requires timely application of vendor patches that eliminate the external file-path control flaw in vulnerable Photo Station versions.

prevent

Enforces access-control decisions on file-system objects so that even a successful path traversal cannot read or modify files without proper authorization.

References