CVE-2019-7195
Published: 05 December 2019
Summary
CVE-2019-7195 is a critical-severity Path Traversal (CWE-22) vulnerability in Qnap Photo Station. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-7195 is an external control of file name or path vulnerability, also known as a path traversal flaw under CWE-22, that affects QNAP Photo Station. The issue permits unauthorized manipulation of file paths, which can lead to access or modification of system files on the affected NAS devices. It carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required authentication or user interaction and full impacts on confidentiality, integrity, and availability.
Remote attackers can exploit the flaw over the network to read or alter arbitrary system files. Public references describe successful remote command execution against QNAP QTS combined with Photo Station version 6.0.3, confirming that unauthenticated adversaries can achieve full system compromise without any credentials.
QNAP security advisories direct users to update Photo Station to the latest available versions as the primary remediation. The vulnerability appears in CISA's catalog of known exploited vulnerabilities, indicating confirmed real-world attacks in the wild.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-16739
Vulnerability details
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
- CWE(s)
- KEV Date Added
- 08 June 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Strict validation and sanitization of file/path inputs directly blocks the external control of file names that enables the path traversal.
Applying the vendor-supplied Photo Station update removes the path-traversal flaw before it can be exploited.
Enforcing access-control decisions on file-system objects would deny the unauthorized reads/writes that the flaw permits.