Security Experts:

Connect with us

Hi, what are you looking for?



Vulnerabilities Exposed Hundreds of Thousands of QNAP NAS Devices to Attacks

Three vulnerabilities identified in QNAP Photo Station last year could be chained to achieve pre-authentication remote code execution on affected QNAP network-attached storage (NAS) devices.

Three vulnerabilities identified in QNAP Photo Station last year could be chained to achieve pre-authentication remote code execution on affected QNAP network-attached storage (NAS) devices.

QNAP Photo Station is a photo album application that is present on the majority (roughly 80%) of QNAP NAS systems, allowing users to easily organize photos and videos on those devices, as well as to share them with others over the Internet.

Last year, CyCarrier CSIRT security researcher Henry Huang identified four critical vulnerabilities in QNAP software, three of which can be chained together to execute code remotely on the impacted systems, with root privileges.

The three bugs in Photo Station are tracked as CVE-2019–7192, CVE-2019–7194, and CVE-2019–7195, while the fourth impacts the QTS NAS operating system and is tracked as CVE-2019–7193. Each of the four vulnerabilities carries a CVSS score of 9.8.

All QNAP NAS devices with Photo Station on them would be impacted by these issues, thus being exposed to attacks, Huang explains. At the time of discovery, there were an estimated 450,000 vulnerable QNAP NAS systems connected to the Internet, the researcher says.

The first of the vulnerabilities could allow attackers to read files on the server without authentication. The attacker could abuse this bug to read a file containing a login token, which can then be leveraged to authenticate as a valid user named appuser.

Next, the attacker can proceed to exploit the second vulnerability, which allows them to inject arbitrary PHP code into the session.

The third vulnerability, the researcher explains, allows the attacker to write session contents to the server, without authentication.

Thus, an attacker could chain the three security flaws to authenticate as appuser, inject code into the PHP session, and write the modified session to Photo Station’s web directory to make a webshell. 

The web server runs as root and the first bug provides access to the text file storing encrypted passwords and other password-related information, readable only by the root user, the researcher explains.

The security researcher decided not to disclose details about the fourth vulnerability he found, arguing that the other three flaws are enough for hacking a NAS device.

QNAP issued patches for these vulnerabilities in November last year, confirming that multiple versions of QTS and Photo Station are impacted.

All QNAP NAS devices running Photo Station that do not run the latest versions of QTS and Photo Station are exposed to attacks looking to exploit these vulnerabilities.

Related: New Mirai Variant Delivered to Zyxel NAS Devices Via Recently Patched Flaw

Related: Ransomware Targets QNAP Linux Systems

Related: Storage Maker QNAP Warns of Malware Targeting Its NAS Devices

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.


Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.