QNAP Photo Station Externally Controlled Reference Vulnerability


QNAP (Quality Network Appliance Provider) is a Taiwanese corporation that specializes in Network Attached Storage (NAS) appliances used for file sharing, virtualization, storage management and surveillance applications.
QNAP’s Photo Station is a private cloud photo storage , service that can centrally store and manage full resolution photos across all devices with QNAP NAS.

QNAP Photo Station Externally Controlled Reference | CVE-2022-27593
An externally controlled reference to a resource vulnerability exists in QNAP NAS systems that are running Photo Station. If exploited, this could allow an attacker to modify system files. SonicWall Capture Labs threat research team has observed this vulnerability being exploited in the wild.
Following versions are vulnerable:

  • QTS 5.0.1: Photo Station 6.1.2
  • QTS 5.0.0/4.5.x: Photo Station 6.0.22
  • QTS 4.3.6: Photo Station 5.7.18
  • QTS 4.3.3: Photo Station 5.4.15
  • QTS 4.2.6: Photo Station 5.2.14

According to CWE , Externally Controlled Reference Vulnerability means the product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Following is an example of exploit:

The code is a URL string that includes a query parameter with the value “/photo/combine.php”. The query parameter “type” has a value of “javascript” and the parameter “g” has a value of 
The code is attempting to combine multiple JavaScript files located in the directory “/photo/” using the script “/photo/combine.php”. An attacker can manipulate the parameter ‘g’ by inserting directory traversal characters, potentially granting them the ability to make changes to system files.

This vulnerability can be exploited by remote, unauthenticated attackers without any user interaction.
The CVSS(Common Vulnerability Scoring System) score is 9.1 with Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is none.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

QNAP has patched this vulnerability.
Querying Shodan shows numerous QNAP devices, many of which many are still vulnerable.

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 15790:QNAP Photo Station Externally Controlled Reference

Threat Graph

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.