Cyber Resilience

CVE-2022-27593

CriticalCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 08 September 2022

Published
08 September 2022
Modified
03 November 2025
KEV Added
08 September 2022
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
EPSS Score 0.9378 99.9th percentile
Risk Priority 96 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-27593 is a critical-severity Externally Controlled Reference to a Resource in Another Sphere (CWE-610) vulnerability in Qnap Qts. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2022-27593 is an externally controlled reference to a resource vulnerability, tracked under CWE-610, that affects QNAP NAS devices running Photo Station. The flaw permits unauthorized modification of system files and carries a CVSS 3.1 base score of 10.0. QNAP has released fixes in Photo Station 6.1.2 and later for QTS 5.0.1, 6.0.22 and later for QTS 5.0.0/4.5.x, 5.7.18 and later for QTS 4.3.6, 5.4.15 and later for QTS 4.3.3, and 5.2.14 and later for QTS 4.2.6.

An unauthenticated attacker with network access can exploit the issue without user interaction to alter system files on the affected NAS. Successful exploitation can lead to integrity and availability impacts as well as limited confidentiality exposure under the CVSS scope change.

QNAP security advisory QSA-22-24 details the fixed Photo Station versions and urges immediate installation. The vulnerability also appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.

The associated EPSS score has reached 0.9378, indicating a high likelihood of exploitation attempts.

EU & UK References

Vulnerability details

An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS…

more

5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later

CWE(s)
KEV Date Added
08 September 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qnap
photo station
≤ 5.2.14 · ≤ 5.4.15 · ≤ 5.7.18

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces access control decisions on Photo Station resources so that unauthenticated external references cannot modify system files.

prevent

Requires validation of externally supplied resource references before they are dereferenced, blocking the CWE-610 vector used by this unauthenticated attack.

prevent

Mandates timely application of the vendor-supplied Photo Station patches listed in QSA-22-24 that eliminate the vulnerable code paths.

References