CVE-2019-7194

CVE-2019-7194 is a critical-severity vulnerability in Qnap Photo Station with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-06-08). The underlying weakness is classified as CWE-22.

Key facts

Description

This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.

CVE-2019-7194: QNAP Photo Station Path Traversal (CISA KEV)

AI-generated analysis based on the vulnerability data on this page.

Attribute Value
CVE CVE-2019-7194
Published 2019-12-05
CVSS 2.0 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS 3.1 9.8 CRITICAL (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
EPSS 0.82966 (99.63rd percentile)
CWE CWE-22: Improper Limitation of a Pathname to a Restricted Directory
KEV Yes (added 2022-06-08)
Product QNAP Photo Station / QNAP QTS

Summary

CVE-2019-7194 is a path traversal vulnerability in QNAP Photo Station. The application fails to properly sanitize user-supplied file names or paths, allowing a remote attacker to traverse the directory structure and access or modify system files without authentication.

Background

QNAP Photo Station is a photo-management application bundled with QNAP Network-Attached Storage (NAS) devices running QTS. It enables users to upload, organize, and share photos. Because the service is typically exposed to the network for convenience, vulnerabilities in this component can have a broad impact on home and enterprise NAS deployments.

Root Cause

The vulnerability is classified as CWE-22: Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"). The Photo Station application accepts user-controlled input for file names or paths without adequate validation or sanitization. Consequently, an attacker can supply path traversal sequences to escape the intended directory boundary and access files outside the web root or application sandbox.

Impact

This vulnerability received a CVSS 3.1 score of 9.8 (CRITICAL) and a CVSS 2.0 score of 7.5 (HIGH). The CVSS 3.1 vector indicates:

  • Attack Vector (AV): Network — exploitable remotely
  • Attack Complexity (AC): Low — no special conditions required
  • Privileges Required (PR): None — unauthenticated exploitation
  • User Interaction (UI): None — fully automated
  • Scope (S): Unchanged
  • Confidentiality (C): High — attacker can read sensitive files
  • Integrity (I): High — attacker can modify system files
  • Availability (A): High — potential for system disruption

The EPSS score of 0.82966 (99.63rd percentile) indicates a very high probability of observed exploitation in the wild. CISA has added this CVE to the Known Exploited Vulnerabilities catalog (added 2022-06-08).

Exploitation Walkthrough

From a defensive perspective, exploitation occurs when an attacker sends crafted HTTP requests to the Photo Station endpoint that include directory traversal sequences in file-name or path parameters. Because the application concatenates the attacker-controlled input into a filesystem path without filtering traversal sequences, the resulting path may resolve to sensitive locations such as system configuration files or password stores.

Ethics Note: This description is intentionally generic and is provided for defensive awareness only. Security professionals should test only on systems they own or have explicit permission to test.

Affected and Patched Versions

Affected products and versions (per CPE data):

  • QNAP Photo Station — all versions (cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*)
  • QNAP QTS — multiple versions including 4.2.6 and 4.4.1

QNAP has released security updates. Administrators should consult the official QNAP security advisory (NAS-201911-25) for the exact patched version numbers and upgrade instructions.

Remediation

  1. Upgrade immediately. Apply the latest Photo Station and QTS firmware updates published by QNAP.
  2. Restrict network exposure. Do not expose Photo Station directly to the internet; place it behind a VPN or restrict source IPs via firewall rules.
  3. Segment your NAS. Isolate NAS devices on a dedicated network segment with limited ingress and egress traffic.
  4. Disable unnecessary services. If Photo Station is not required, disable it entirely.

Detection

  • Monitor web server logs for requests containing path traversal patterns (e.g., ../, encoded variants) targeting Photo Station endpoints.
  • Correlate Photo Station access logs with file-system audit logs for unexpected reads outside the photo album directories.
  • Check your QNAP NAS against the QNAP Security Advisory (NAS-201911-25) to confirm patch status.
  • Query the CISA KEV catalog to verify this CVE is flagged in your vulnerability management program.

Assessment

CVE-2019-7194 is a critical, actively exploited path traversal vulnerability with an EPSS score above 80%, confirming widespread exploitation. The combination of network accessibility, low attack complexity, and no authentication requirement makes it an attractive target for opportunistic and targeted threat actors alike.

Key lessons:

  1. Input validation is essential. Any endpoint that accepts file names or paths must strictly validate against traversal sequences.
  2. Network exposure amplifies risk. NAS services intended for internal use should never be internet-facing without additional controls.

References

Frequently asked questions

What is CVE-2019-7194?
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
How severe is CVE-2019-7194?
CVE-2019-7194 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
Is CVE-2019-7194 being actively exploited?
Yes. CVE-2019-7194 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-06-08, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2019-7194?
CVE-2019-7194 affects Qnap Photo Station. See the affected-products list for the exact vulnerable versions.
How do I fix CVE-2019-7194?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2019-7194 have an EU (EUVD) identifier?
Yes. CVE-2019-7194 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-16738. It is also flagged as exploited in the EUVD (since 2022-06-08).
When was CVE-2019-7194 published?
CVE-2019-7194 was published on 2019-12-05 and last updated on 2026-06-17.

References

Affected products (1)

More vulnerabilities in Qnap Photo Station

All CVEs affecting Qnap Photo Station →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →