CVE-2022-27593
CVE-2022-27593 is a critical-severity vulnerability in Qnap Photo Station with a CVSS 3.x base score of 10.0. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2022-09-08). The underlying weakness is classified as CWE-610.
Key facts
- Severity: Critical (CVSS 3.x base score 10.0)
- EPSS exploit prediction: 88% (100th percentile)
- Actively exploited: Yes — listed in CISA KEV (added 2022-09-08)
- EU (EUVD) id: EUVD-2022-32094
- EU exploitation: Flagged exploited in the ENISA EU Vulnerability Database (since 2022-09-08)
- Weakness: CWE-610
- Affected product: Qnap Photo Station
- Published:
- Last modified:
Description
An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later
CVE-2022-27593: QNAP Photo Station Externally Controlled Reference to Resource (CWE-610)
AI-generated analysis based on the vulnerability data on this page.
| Field | Value |
|---|---|
| CVE ID | CVE-2022-27593 |
| CVSS v3.1 | 10.0 (Critical) — AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H |
| CWE | CWE-610: Externally Controlled Reference to a Resource in Another Sphere |
| EPSS | 0.87908 (99.7th percentile) |
| KEV Listed | Yes — added 2022-09-08 |
| EU Exploited | Yes — since 2022-09-08 |
| Published | 2022-09-08 |
| Vendor | QNAP |
| Product | Photo Station (QTS) |
Summary
CVE-2022-27593 is a critical vulnerability in QNAP's Photo Station application for QNAP NAS devices. The flaw stems from an externally controlled reference to a resource (CWE-610), enabling an unauthenticated remote attacker to manipulate system files on the affected NAS. With a CVSS v3.1 score of 10.0 and confirmed active exploitation, this vulnerability demands immediate attention from all QNAP Photo Station administrators.
Background
QNAP Photo Station is a media management and sharing application bundled with QNAP's QTS operating system for Network Attached Storage (NAS) devices. NAS devices are frequently deployed at network edge positions, directly exposed to the internet for remote access, file sharing, and media streaming. This exposure makes NAS appliances high-value targets for threat actors seeking to gain footholds in home, small-business, and enterprise networks.
Root Cause
The vulnerability is classified as CWE-610: Externally Controlled Reference to a Resource in Another Sphere. In this context, Photo Station improperly handles externally supplied input that references files or resources on the underlying QTS system. An attacker can supply a crafted request referencing sensitive system paths, and the application fails to adequately validate or sanitize these references before processing them. This path traversal or file-inclusion style weakness allows the attacker to reach outside the intended application directory and interact with critical operating system files.
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H underscores the severity:
- Attack Vector (AV):N — Exploitable over the network with no local access required.
- Attack Complexity (AC):L — No special conditions or complex steps needed.
- Privileges Required (PR):N — No authentication necessary.
- User Interaction (UI):N — No victim interaction required.
- Scope (S):C — The vulnerable component impacts resources beyond its own security scope (the underlying QTS OS).
- Confidentiality (C):L, Integrity (I):H, Availability (A):H — System files can be modified, leading to high integrity and availability impact.
Impact
Successful exploitation of this vulnerability allows an unauthenticated remote attacker to:
- Modify system files on the QNAP NAS, including configuration files, binaries, or startup scripts.
- Potentially achieve full device compromise by replacing critical OS components or planting persistent backdoors.
- Disrupt NAS operations by corrupting system data or deleting files (high availability impact).
- Use the compromised NAS as a pivot point into the broader internal network.
The scope change (S:C) is particularly important: Photo Station runs as an application-layer service, yet the flaw allows the attacker to affect the integrity and availability of the entire QTS operating system underneath it.
Exploitation Walkthrough
Ethics caveat: The following describes the exploitation mechanism at a defensive level to aid detection and mitigation. No weaponized exploit code is provided. Organizations should use this information to understand attack patterns, not to reproduce attacks against systems they do not own.
An attacker targets an internet-facing QNAP NAS running a vulnerable version of Photo Station. By crafting an HTTP request that includes a malicious file reference or path parameter, the attacker causes Photo Station to resolve that reference against the underlying QTS filesystem. Because the input is not properly validated, the reference resolves to a system file location rather than the intended application directory. The attacker can then overwrite, append to, or delete that system file. Since no authentication is required and the attack is trivial to execute (AC:L), opportunistic mass-exploitation is highly feasible — consistent with the observed EPSS and KEV data.
Affected and Patched Versions
| QTS Version | Photo Station Fix Version |
|---|---|
| QTS 5.0.1 | Photo Station 6.1.2 and later |
| QTS 5.0.0 / 4.5.x | Photo Station 6.0.22 and later |
| QTS 4.3.6 | Photo Station 5.7.18 and later |
| QTS 4.3.3 | Photo Station 5.4.15 and later |
| QTS 4.2.6 | Photo Station 5.2.14 and later |
All earlier versions of Photo Station on the listed QTS branches are vulnerable.
Remediation
- Upgrade immediately. Apply the patched Photo Station version corresponding to your QTS release from the table above. QNAP has published the fixes in QSA-22-24.
- Disable Photo Station if it is not required, until patching is complete.
- Compensating controls:
- Restrict inbound access to the NAS management interface and Photo Station to trusted IP ranges only (do not expose directly to the internet).
- Enable QNAP's Security Counselor and ensure automatic security updates are configured.
- Segment NAS devices on a dedicated network VLAN with strict egress filtering.
- Review and enforce strong firewall rules at the network perimeter.
Detection
- Network: Monitor for anomalous HTTP requests to Photo Station endpoints containing path-like sequences (
../, absolute paths, or unexpected file extensions). - Host: Monitor the NAS filesystem for unauthorized changes to system directories (
/etc,/usr,/share, QTS internal paths) outside of scheduled maintenance windows. - Logs: Review QTS system logs and Photo Station access logs for requests from unexpected source IPs, especially shortly before file-modification events.
- Threat Intelligence: Cross-reference inbound traffic against known exploitation indicators. Given the KEV and EU-exploited status, threat-intel feeds likely contain IOCs for this vulnerability.
Assessment
CVE-2022-27593 is a textbook example of a critical-severity, trivially exploitable NAS vulnerability that is actively exploited in the wild. The EPSS score of 0.87908 places it in the top 0.3% of all CVEs by exploitation probability, and its presence on both the CISA KEV catalog and the EU exploited vulnerabilities list confirms real-world weaponization.
Key lessons:
- Input validation is non-negotiable. Any application that accepts file or resource references from untrusted input must rigorously validate and sanitize them against directory traversal and unexpected scope changes.
- NAS exposure to the internet is high-risk. Devices running web-facing applications like Photo Station should never be directly accessible from untrusted networks without additional protective controls.
References
Frequently asked questions
- What is CVE-2022-27593?
- An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later
- How severe is CVE-2022-27593?
- CVE-2022-27593 has a CVSS 3.x base score of 10.0, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is low, integrity high, and availability high.
- Is CVE-2022-27593 being actively exploited?
- Yes. CVE-2022-27593 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2022-09-08, which means active exploitation has been confirmed. It should be prioritised for remediation.
- What products are affected by CVE-2022-27593?
- CVE-2022-27593 affects Qnap Photo Station. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-27593?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
- Does CVE-2022-27593 have an EU (EUVD) identifier?
- Yes. CVE-2022-27593 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2022-32094. It is also flagged as exploited in the EUVD (since 2022-09-08).
- When was CVE-2022-27593 published?
- CVE-2022-27593 was published on 2022-09-08 and last updated on 2026-06-17.
References
- https://www.qnap.com/en/security-advisory/qsa-22-24
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27593
Affected products (1)
- cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*
More vulnerabilities in Qnap Photo Station
- CVE-2017-20210 — Critical (CVSS 9.8): Photo Station 5.4.1 & 5.2.7 include the security fix for the vulnerability related to the XMR mining programs…
- CVE-2019-7195 — Critical (CVSS 9.8): This external control of file name or path vulnerability allows remote attackers to access or modify system files. To…
- CVE-2019-7194 — Critical (CVSS 9.8): This external control of file name or path vulnerability allows remote attackers to access or modify system files. To…
- CVE-2019-7192 — Critical (CVSS 9.8): This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. To fix…
- CVE-2021-34356 — High (CVSS 7.6): A cross-site scripting (XSS) vulnerability has been reported to affect QNAP device running Photo Station. If exploited,…
- CVE-2021-34355 — High (CVSS 7.6): A cross-site scripting (XSS) vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited,…
All CVEs affecting Qnap Photo Station →
Other CWE-610 vulnerabilities
- CVE-2019-7290 — Critical (CVSS 10.0): An access issue was addressed with additional sandbox restrictions. This issue is fixed in Shortcuts 2.1.3 for iOS. A…
- CVE-2017-16088 — Critical (CVSS 10.0): The safe-eval module describes itself as a safer version of eval. By accessing the object constructors, un-sanitized…
- CVE-2022-39206 — Critical (CVSS 9.9): Onedev is an open source, self-hosted Git Server with CI/CD and Kanban. When using Docker-based job executors, the…
- CVE-2026-47643 — Critical (CVSS 9.8): External control of file name or path in Azure Stack Edge allows an unauthorized attacker to execute code over a…
- CVE-2022-20239 — Critical (CVSS 9.8): remap_pfn_range' here may map out of size kernel memory (for example, may map the kernel area), and because the…
- CVE-2021-44041 — Critical (CVSS 9.8): UiPath Assistant 21.4.4 will load and execute attacker controlled data from the file path supplied to the --dev-widget…