CVE-2019-7192
CVE-2019-7192 is a critical-severity vulnerability in Qnap Photo Station with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-06-08). The underlying weakness is classified as CWE-863.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 88% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-06-08)
- EU (EUVD) id: EUVD-2019-16736
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-06-08)
- Weakness: CWE-863
- Affected product: Qnap Photo Station
- Published:
- Last modified:
Description
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
CVE-2019-7192: QNAP Photo Station Improper Access Control (CVSS 9.8, KEV)
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE | CVE-2019-7192 |
| Product | QNAP Photo Station / QNAP QTS |
| CVSS v3 | 9.8 CRITICAL |
| EPSS | 88.2% (0.88213) |
| CWE | CWE-863 (Incorrect Authorization) |
| KEV | Yes (since 2022-06-08) |
Summary
CVE-2019-7192 is an improper access control vulnerability (CWE-863) in QNAP Photo Station that allows remote, unauthenticated attackers to gain unauthorized access to the system. The vulnerability has a critical CVSS v3 score of 9.8 and is listed in the CISA Known Exploited Vulnerabilities catalog.
Background
QNAP Photo Station is a photo management application bundled with QNAP Network-Attached Storage (NAS) devices running the QTS operating system. It provides web-based photo browsing, sharing, and album management features. NAS devices are frequently exposed to the internet for remote access, making web-facing applications like Photo Station high-value targets for automated exploitation campaigns.
Root Cause
The vulnerability is classified as CWE-863 (Incorrect Authorization). The application fails to properly enforce access controls on certain endpoints or functions, allowing remote attackers to bypass authentication mechanisms. The missing or flawed authorization checks permit unauthorized actions that should require valid user credentials, effectively granting anonymous users privileges they should not possess.
Impact
The CVSS v3 metrics for this vulnerability are:
| Metric | Value |
|---|---|
| Attack Vector | Network (AV:N) |
| Attack Complexity | Low (AC:L) |
| Privileges Required | None (PR:N) |
| User Interaction | None (UI:N) |
| Scope | Unchanged (S:U) |
| Confidentiality | High (C:H) |
| Integrity | High (I:H) |
| Availability | High (A:H) |
An unauthenticated remote attacker can gain unauthorized access to the system, potentially leading to data exposure, system compromise, and further lateral movement within the network. The high EPSS score (88.2%, 99.75th percentile) and KEV listing confirm this vulnerability is actively exploited in the wild.
Exploitation Walkthrough
Attackers have been observed exploiting this vulnerability by sending crafted HTTP requests to vulnerable Photo Station endpoints that lack proper authorization checks. Because exploitation does not require authentication, automated scanners and botnets can trivially identify and compromise exposed QNAP devices.
⚠️ Ethics caveat: This section describes the vulnerability from a defender's perspective. Actual exploitation of systems without authorization is illegal and unethical. The information provided is for defensive hardening, detection, and remediation purposes only.
Affected and Patched Versions
Affected:
- QNAP Photo Station (versions prior to patched releases)
- QNAP QTS 4.2.6
- QNAP QTS 4.4.1
Patched versions:
- QNAP has released security updates. Users should consult QNAP Security Advisory NAS-201911-25 for specific patched version numbers.
Remediation
-
Upgrade immediately: Apply the latest firmware and Photo Station updates from QNAP as specified in the official security advisory.
-
Compensating controls:
- Restrict network access to Photo Station and QNAP administration interfaces using firewall rules or require VPN access.
- Disable Photo Station if it is not required for business operations.
- Implement network segmentation to isolate NAS devices from untrusted networks.
- Enable QNAP's Security Counselor and apply all recommended security settings.
- Monitor for unauthorized access attempts and anomalous administrative actions.
Detection
- Monitor web server logs for unusual HTTP requests to Photo Station endpoints, particularly requests that bypass expected authentication flows.
- Review QNAP system logs for unexpected administrative actions, file access patterns, or configuration changes.
- Correlate QNAP system logs with known indicators of compromise from threat intelligence feeds.
- Deploy network intrusion detection systems (IDS) to detect scanning and exploitation activity targeting QNAP devices.
Assessment
With an EPSS score of 88.2% and inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog since June 2022, CVE-2019-7192 represents a clear and active threat to organizations running vulnerable QNAP devices. The combination of network accessibility, lack of authentication requirements, and high confidentiality, integrity, and availability impact makes this a priority patching target. Organizations should not delay remediation based on the assumption that their devices are not being actively targeted.
Key lessons:
- Authentication is not optional for internet-facing applications: Any web-facing endpoint must enforce proper authorization, especially on devices commonly exposed to the internet.
- EPSS should drive prioritization: With an EPSS score above 88%, organizations should treat this as an active threat regardless of their internal threat intelligence capabilities.
References
Frequently asked questions
- What is CVE-2019-7192?
- This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
- How severe is CVE-2019-7192?
- CVE-2019-7192 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-7192 being actively exploited?
- Yes. CVE-2019-7192 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-06-08, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2019-7192?
- CVE-2019-7192 affects Qnap Photo Station. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2019-7192?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2019-7192 have an EU (EUVD) identifier?
- Yes. CVE-2019-7192 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-16736. It is also flagged as exploited in the EUVD (since 2022-06-08).
- When was CVE-2019-7192 published?
- CVE-2019-7192 was published on 2019-12-05 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html
- https://www.qnap.com/zh-tw/security-advisory/nas-201911-25
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7192
Affected products (1)
- cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*
More vulnerabilities in Qnap Photo Station
- CVE-2022-27593 — Critical (CVSS 10.0): An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo…
- CVE-2017-20210 — Critical (CVSS 9.8): Photo Station 5.4.1 & 5.2.7 include the security fix for the vulnerability related to the XMR mining programs…
- CVE-2019-7195 — Critical (CVSS 9.8): This external control of file name or path vulnerability allows remote attackers to access or modify system files. To…
- CVE-2019-7194 — Critical (CVSS 9.8): This external control of file name or path vulnerability allows remote attackers to access or modify system files. To…
- CVE-2021-34356 — High (CVSS 7.6): A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Photo Station. If exploited,…
- CVE-2021-34355 — High (CVSS 7.6): A cross-site scripting (XSS) vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited,…
All CVEs affecting Qnap Photo Station →
Other CWE-863 (Incorrect Authorization) vulnerabilities
- CVE-2026-48286 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9396 and earlier are affected by an Incorrect Authorization…
- CVE-2026-48303 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by an Incorrect Authorization…
- CVE-2026-44330 — Critical (CVSS 10.0): free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NEF mounts the…
- CVE-2026-46595 — Critical (CVSS 10.0): Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of…
- CVE-2026-33105 — Critical (CVSS 10.0): Improper authorization in Microsoft Azure Kubernetes Service allows an unauthorized attacker to elevate privileges over…
- CVE-2026-32213 — Critical (CVSS 10.0): Improper authorization in Azure AI Foundry allows an unauthorized attacker to elevate privileges over a network.
Browse all CWE-863 (Incorrect Authorization) vulnerabilities →