CVE-2022-27593
Published: 08 September 2022
Summary
CVE-2022-27593 is a critical-severity Externally Controlled Reference to a Resource in Another Sphere (CWE-610) vulnerability in Qnap Qts. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2022-27593 is an externally controlled reference to a resource vulnerability, tracked under CWE-610, that affects QNAP NAS devices running Photo Station. The flaw permits unauthorized modification of system files and carries a CVSS 3.1 base score of 10.0. QNAP has released fixes in Photo Station 6.1.2 and later for QTS 5.0.1, 6.0.22 and later for QTS 5.0.0/4.5.x, 5.7.18 and later for QTS 4.3.6, 5.4.15 and later for QTS 4.3.3, and 5.2.14 and later for QTS 4.2.6.
An unauthenticated attacker with network access can exploit the issue without user interaction to alter system files on the affected NAS. Successful exploitation can lead to integrity and availability impacts as well as limited confidentiality exposure under the CVSS scope change.
QNAP security advisory QSA-22-24 details the fixed Photo Station versions and urges immediate installation. The vulnerability also appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation.
The associated EPSS score has reached 0.9378, indicating a high likelihood of exploitation attempts.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-32094
Vulnerability details
An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS…
more
5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later
- CWE(s)
- KEV Date Added
- 08 September 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access control decisions on Photo Station resources so that unauthenticated external references cannot modify system files.
Requires validation of externally supplied resource references before they are dereferenced, blocking the CWE-610 vector used by this unauthenticated attack.
Mandates timely application of the vendor-supplied Photo Station patches listed in QSA-22-24 that eliminate the vulnerable code paths.