CVE-2019-7192

CVE-2019-7192 is a critical-severity vulnerability in Qnap Photo Station with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-06-08). The underlying weakness is classified as CWE-863.

Key facts

Description

This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.

CVE-2019-7192: QNAP Photo Station Improper Access Control (CVSS 9.8, KEV)

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2019-7192
Product QNAP Photo Station / QNAP QTS
CVSS v3 9.8 CRITICAL
EPSS 88.2% (0.88213)
CWE CWE-863 (Incorrect Authorization)
KEV Yes (since 2022-06-08)

Summary

CVE-2019-7192 is an improper access control vulnerability (CWE-863) in QNAP Photo Station that allows remote, unauthenticated attackers to gain unauthorized access to the system. The vulnerability has a critical CVSS v3 score of 9.8 and is listed in the CISA Known Exploited Vulnerabilities catalog.

Background

QNAP Photo Station is a photo management application bundled with QNAP Network-Attached Storage (NAS) devices running the QTS operating system. It provides web-based photo browsing, sharing, and album management features. NAS devices are frequently exposed to the internet for remote access, making web-facing applications like Photo Station high-value targets for automated exploitation campaigns.

Root Cause

The vulnerability is classified as CWE-863 (Incorrect Authorization). The application fails to properly enforce access controls on certain endpoints or functions, allowing remote attackers to bypass authentication mechanisms. The missing or flawed authorization checks permit unauthorized actions that should require valid user credentials, effectively granting anonymous users privileges they should not possess.

Impact

The CVSS v3 metrics for this vulnerability are:

Metric Value
Attack Vector Network (AV:N)
Attack Complexity Low (AC:L)
Privileges Required None (PR:N)
User Interaction None (UI:N)
Scope Unchanged (S:U)
Confidentiality High (C:H)
Integrity High (I:H)
Availability High (A:H)

An unauthenticated remote attacker can gain unauthorized access to the system, potentially leading to data exposure, system compromise, and further lateral movement within the network. The high EPSS score (88.2%, 99.75th percentile) and KEV listing confirm this vulnerability is actively exploited in the wild.

Exploitation Walkthrough

Attackers have been observed exploiting this vulnerability by sending crafted HTTP requests to vulnerable Photo Station endpoints that lack proper authorization checks. Because exploitation does not require authentication, automated scanners and botnets can trivially identify and compromise exposed QNAP devices.

⚠️ Ethics caveat: This section describes the vulnerability from a defender's perspective. Actual exploitation of systems without authorization is illegal and unethical. The information provided is for defensive hardening, detection, and remediation purposes only.

Affected and Patched Versions

Affected:

  • QNAP Photo Station (versions prior to patched releases)
  • QNAP QTS 4.2.6
  • QNAP QTS 4.4.1

Patched versions:

  • QNAP has released security updates. Users should consult QNAP Security Advisory NAS-201911-25 for specific patched version numbers.

Remediation

  1. Upgrade immediately: Apply the latest firmware and Photo Station updates from QNAP as specified in the official security advisory.

  2. Compensating controls:

    • Restrict network access to Photo Station and QNAP administration interfaces using firewall rules or require VPN access.
    • Disable Photo Station if it is not required for business operations.
    • Implement network segmentation to isolate NAS devices from untrusted networks.
    • Enable QNAP's Security Counselor and apply all recommended security settings.
    • Monitor for unauthorized access attempts and anomalous administrative actions.

Detection

  • Monitor web server logs for unusual HTTP requests to Photo Station endpoints, particularly requests that bypass expected authentication flows.
  • Review QNAP system logs for unexpected administrative actions, file access patterns, or configuration changes.
  • Correlate QNAP system logs with known indicators of compromise from threat intelligence feeds.
  • Deploy network intrusion detection systems (IDS) to detect scanning and exploitation activity targeting QNAP devices.

Assessment

With an EPSS score of 88.2% and inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog since June 2022, CVE-2019-7192 represents a clear and active threat to organizations running vulnerable QNAP devices. The combination of network accessibility, lack of authentication requirements, and high confidentiality, integrity, and availability impact makes this a priority patching target. Organizations should not delay remediation based on the assumption that their devices are not being actively targeted.

Key lessons:

  1. Authentication is not optional for internet-facing applications: Any web-facing endpoint must enforce proper authorization, especially on devices commonly exposed to the internet.
  2. EPSS should drive prioritization: With an EPSS score above 88%, organizations should treat this as an active threat regardless of their internal threat intelligence capabilities.

References

Frequently asked questions

What is CVE-2019-7192?
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix these vulnerabilities, QNAP recommend updating Photo Station to their latest versions.
How severe is CVE-2019-7192?
CVE-2019-7192 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-7192 being actively exploited?
Yes. CVE-2019-7192 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-06-08, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-7192?
CVE-2019-7192 affects Qnap Photo Station. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2019-7192?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-7192 have an EU (EUVD) identifier?
Yes. CVE-2019-7192 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-16736. It is also flagged as exploited in the EUVD (since 2022-06-08).
When was CVE-2019-7192 published?
CVE-2019-7192 was published on 2019-12-05 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Qnap Photo Station

All CVEs affecting Qnap Photo Station →

Other CWE-863 (Incorrect Authorization) vulnerabilities

Browse all CWE-863 (Incorrect Authorization) vulnerabilities →