CVE-2019-7195
CVE-2019-7195 is a critical-severity vulnerability in Qnap Photo Station with a CVSS 3.x base score of 9.8. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-06-08). The underlying weakness is classified as CWE-22.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- CVSS v2: 7.5
- EPSS exploit prediction: 90% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-06-08)
- EU (EUVD) id: EUVD-2019-16739
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-06-08)
- Weakness: CWE-22
- Affected product: Qnap Photo Station
- Published:
- Last modified:
Description
This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
CVE-2019-7195: QNAP Photo Station Path Traversal (CWE-22) — Critical, KEV-Listed
AI-generated analysis based on the vulnerability data on this page.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2019-7195 |
| CWE | CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) |
| CVSS v3 | 9.8 — Critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| CVSS v2 | 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| EPSS | 0.89681 (99.77th percentile) |
| KEV | Yes — added to CISA KEV on 2022-06-08 |
| Product | QNAP Photo Station / QNAP QTS |
| Affected | QNAP Photo Station (all versions per CPE), QTS 4.4.1, QTS 4.2.6, and other QTS builds |
| Sources | NVD, CISA KEV, QNAP Security Advisory |
Summary
CVE-2019-7195 is an external control of file name or path vulnerability in QNAP Photo Station. The flaw allows remote, unauthenticated attackers to traverse the file system and access or modify arbitrary files on the underlying QNAP NAS device. Because the vulnerability is network-exploitable with no privileges required and no user interaction, it presents a severe risk to exposed QNAP systems.
Background
QNAP Photo Station is a web-based photo-management application shipped with QNAP Network Attached Storage (NAS) devices running QTS. The application provides album browsing, thumbnail generation, and sharing capabilities. Like many NAS appliances, QNAP devices are frequently deployed on home and small-office networks and are often exposed to the internet for remote access. In November 2019, QNAP published a security advisory warning customers of a critical vulnerability in Photo Station and urging immediate patching. The vulnerability was subsequently added to the CISA Known Exploited Vulnerabilities (KEV) catalog in June 2022, confirming active exploitation.
Root Cause
The vulnerability is classified under CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal). The Photo Station application fails to adequately sanitize user-supplied file or path inputs before using them in filesystem operations. An attacker can supply path traversal sequences (e.g., ../) to escape the intended application directory and reach sensitive system locations. This improper validation allows the attacker to control the target file path, leading to unauthorized file read or write operations.
Impact
The CVSS v3 score of 9.8 (Critical) reflects the severity of this flaw:
- Network Attack Vector (AV:N): The vulnerability can be exploited over the network without local access.
- Low Attack Complexity (AC:L): No special conditions or pre-computation are required.
- No Privileges Required (PR:N): Exploitation does not require authentication.
- No User Interaction (UI:N): The victim does not need to perform any action.
- High Confidentiality Impact (C:H): Arbitrary file read enables access to configuration files, credentials, and sensitive data stored on the NAS.
- High Integrity Impact (I:H): Arbitrary file modification can alter system binaries, web application files, or stored data.
- High Availability Impact (A:H): Modifying or deleting critical system files can render the device inoperable.
Because the NAS typically stores backups and sensitive personal or business data, successful exploitation can lead to data theft, ransomware deployment, or complete system compromise. The presence on the CISA KEV list and an EPSS score of 0.89681 (99.77th percentile) indicates that this vulnerability is among the most likely to be actively exploited in the wild.
Exploitation Walkthrough
Ethics Notice: The following description is provided for defensive awareness only. It is generic and does not contain weaponized exploit code. Do not attempt to exploit systems you do not own or have explicit permission to test.
An attacker identifies a QNAP device running Photo Station accessible over the internet (commonly on TCP 443 or 8080). The attacker crafts an HTTP request targeting an endpoint that accepts a filename or path parameter. By injecting path traversal sequences into this parameter, the attacker redirects the filesystem operation to a location outside the intended web root or application directory. For example, the attacker may target system configuration files, password hashes, or sensitive documents stored on the NAS volumes. Because the application lacks proper input validation and path canonicalization, the underlying operating system resolves the traversal and returns or writes the requested file. The vulnerability does not require authentication, making it trivial to scan for and exploit at scale using automated tools.
Affected and Patched Versions
Based on the available CPE data, affected products include:
- QNAP Photo Station (all versions matching
cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*) - QNAP QTS 4.4.1
- QNAP QTS 4.2.6
- Other QTS builds (per
cpe:2.3:o:qnap:qts:*:*:*:*:*:*:*:*)
QNAP's official advisory recommends updating Photo Station and QTS to the latest available versions. Specific patched version numbers were not documented in the retrieved NVD record; administrators should consult the QNAP Security Advisory for exact release numbers and apply the most recent firmware updates.
Remediation
- Upgrade Immediately: Apply the latest QTS firmware and Photo Station update from QNAP. The vendor explicitly recommends updating to the latest versions to resolve this vulnerability.
- Disable Remote Access: If remote access is not required, disable the QNAP NAS from the internet. Use a VPN for remote administration instead of exposing the web interface directly.
- Network Segmentation: Place the NAS on an isolated network segment with restricted ingress/egress rules. Limit access to trusted internal hosts only.
- Web Application Firewall (WAF): Deploy a WAF or reverse proxy that blocks path traversal patterns (
../,%2e%2e%2f, encoded variants) before they reach the NAS. - Monitor for Compromise: Review logs for unusual file access patterns, unauthorized file modifications, or new administrative accounts.
Detection
- Network Signatures: Monitor inbound HTTP requests to Photo Station endpoints for path traversal sequences (
../,..\, and URL-encoded variants) in query parameters or POST bodies. - File Integrity Monitoring: Use FIM tools on the QNAP device or on stored shares to detect unexpected changes to system files, web application scripts, or configuration files.
- Anomaly Detection: Alert on sudden spikes in external requests to Photo Station endpoints, especially from geolocations or ASNs not associated with normal user activity.
- Log Review: Examine QNAP system logs and web server access logs for 200/500 responses to Photo Station requests containing traversal patterns.
- Threat Intelligence: The CISA KEV entry and high EPSS score mean this CVE should be a top-priority detection rule in any SOC monitoring QNAP infrastructure.
Assessment
CVE-2019-7195 is a textbook example of how a single missing input-validation check on a widely deployed edge device can lead to critical, wormable exposure. With an EPSS of 0.89681 and confirmed KEV status since June 2022, this is not a theoretical risk — it is actively exploited by threat actors. The combination of unauthenticated network access, trivial exploitability, and high impact makes this one of the highest-priority vulnerabilities for any organization running QNAP NAS devices.
Key lessons:
- Sanitize all filesystem paths at the application layer: Never pass user-controlled input directly to filesystem APIs without canonicalization and allow-list validation.
- Edge devices are high-value targets: NAS appliances, VPN gateways, and firewalls are attractive to ransomware operators because they often store backups and are exposed to the internet. Continuous patching and network hardening are essential.
References
Frequently asked questions
- What is CVE-2019-7195?
- This external control of file name or path vulnerability allows remote attackers to access or modify system files. To fix the vulnerability, QNAP recommend updating Photo Station to their latest versions.
- How severe is CVE-2019-7195?
- CVE-2019-7195 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2019-7195 being actively exploited?
- Yes. CVE-2019-7195 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-06-08, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2019-7195?
- CVE-2019-7195 affects Qnap Photo Station. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2019-7195?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2019-7195 have an EU (EUVD) identifier?
- Yes. CVE-2019-7195 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2019-16739. It is also flagged as exploited in the EUVD (since 2022-06-08).
- When was CVE-2019-7195 published?
- CVE-2019-7195 was published on 2019-12-05 and last updated on 2026-06-17.
References
- http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.html
- https://www.qnap.com/zh-tw/security-advisory/nas-201911-25
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7195
Affected products (1)
- cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*
More vulnerabilities in Qnap Photo Station
- CVE-2022-27593 — Critical (CVSS 10.0): An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo…
- CVE-2017-20210 — Critical (CVSS 9.8): Photo Station 5.4.1 & 5.2.7 include the security fix for the vulnerability related to the XMR mining programs…
- CVE-2019-7194 — Critical (CVSS 9.8): This external control of file name or path vulnerability allows remote attackers to access or modify system files. To…
- CVE-2019-7192 — Critical (CVSS 9.8): This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix…
- CVE-2021-34356 — High (CVSS 7.6): A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Photo Station. If exploited,…
- CVE-2021-34355 — High (CVSS 7.6): A cross-site scripting (XSS) vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited,…
All CVEs affecting Qnap Photo Station →
Other CWE-22 (Path Traversal) vulnerabilities
- CVE-2026-48282 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Limitation of a Pathname to a Restricted…
- CVE-2026-54917 — Critical (CVSS 10.0): SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the…
- CVE-2026-11429 — Critical (CVSS 10.0): Two endpoints in the Vault Service ScriptsController, shared by Altium Enterprise Server and Altium 365, accept file…
- CVE-2026-34909 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to…
- CVE-2026-7411 — Critical (CVSS 10.0): In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel…
- CVE-2026-36767 — Critical (CVSS 10.0): A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary…