Connect with us

Hi, what are you looking for?



Vulnerabilities Exposed Hundreds of Thousands of QNAP NAS Devices to Attacks

Three vulnerabilities identified in QNAP Photo Station last year could be chained to achieve pre-authentication remote code execution on affected QNAP network-attached storage (NAS) devices.

Three vulnerabilities identified in QNAP Photo Station last year could be chained to achieve pre-authentication remote code execution on affected QNAP network-attached storage (NAS) devices.

QNAP Photo Station is a photo album application that is present on the majority (roughly 80%) of QNAP NAS systems, allowing users to easily organize photos and videos on those devices, as well as to share them with others over the Internet.

Last year, CyCarrier CSIRT security researcher Henry Huang identified four critical vulnerabilities in QNAP software, three of which can be chained together to execute code remotely on the impacted systems, with root privileges.

The three bugs in Photo Station are tracked as CVE-2019–7192, CVE-2019–7194, and CVE-2019–7195, while the fourth impacts the QTS NAS operating system and is tracked as CVE-2019–7193. Each of the four vulnerabilities carries a CVSS score of 9.8.

All QNAP NAS devices with Photo Station on them would be impacted by these issues, thus being exposed to attacks, Huang explains. At the time of discovery, there were an estimated 450,000 vulnerable QNAP NAS systems connected to the Internet, the researcher says.

The first of the vulnerabilities could allow attackers to read files on the server without authentication. The attacker could abuse this bug to read a file containing a login token, which can then be leveraged to authenticate as a valid user named appuser.

Next, the attacker can proceed to exploit the second vulnerability, which allows them to inject arbitrary PHP code into the session.

The third vulnerability, the researcher explains, allows the attacker to write session contents to the server, without authentication.

Advertisement. Scroll to continue reading.

Thus, an attacker could chain the three security flaws to authenticate as appuser, inject code into the PHP session, and write the modified session to Photo Station’s web directory to make a webshell. 

The web server runs as root and the first bug provides access to the text file storing encrypted passwords and other password-related information, readable only by the root user, the researcher explains.

The security researcher decided not to disclose details about the fourth vulnerability he found, arguing that the other three flaws are enough for hacking a NAS device.

QNAP issued patches for these vulnerabilities in November last year, confirming that multiple versions of QTS and Photo Station are impacted.

All QNAP NAS devices running Photo Station that do not run the latest versions of QTS and Photo Station are exposed to attacks looking to exploit these vulnerabilities.

Related: New Mirai Variant Delivered to Zyxel NAS Devices Via Recently Patched Flaw

Related: Ransomware Targets QNAP Linux Systems

Related: Storage Maker QNAP Warns of Malware Targeting Its NAS Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Gain valuable insights from industry professionals who will help guide you through the intricacies of industrial cybersecurity.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.