QNAP Photo Station Externally Controlled Reference Vulnerability

April 21, 2023

QNAP (Quality Network Appliance Provider) is a Taiwanese corporation that specializes in Network Attached Storage (NAS) appliances used for file sharing, virtualization, storage management and surveillance applications.
QNAP’s Photo Station is a private cloud photo storage , service that can centrally store and manage full resolution photos across all devices with QNAP NAS.

QNAP Photo Station Externally Controlled Reference | CVE-2022-27593
An externally controlled reference to a resource vulnerability exists in QNAP NAS systems that are running Photo Station. If exploited, this could allow an attacker to modify system files. SonicWall Capture Labs threat research team has observed this vulnerability being exploited in the wild.
Following versions are vulnerable:

  • QTS 5.0.1: Photo Station 6.1.2
  • QTS 5.0.0/4.5.x: Photo Station 6.0.22
  • QTS 4.3.6: Photo Station 5.7.18
  • QTS 4.3.3: Photo Station 5.4.15
  • QTS 4.2.6: Photo Station 5.2.14

According to CWE , Externally Controlled Reference Vulnerability means the product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Following is an example of exploit:

The code is a URL string that includes a query parameter with the value “/photo/combine.php”. The query parameter “type” has a value of “javascript” and the parameter “g” has a value of 
The code is attempting to combine multiple JavaScript files located in the directory “/photo/” using the script “/photo/combine.php”. An attacker can manipulate the parameter ‘g’ by inserting directory traversal characters, potentially granting them the ability to make changes to system files.

This vulnerability can be exploited by remote, unauthenticated attackers without any user interaction.
The CVSS(Common Vulnerability Scoring System) score is 9.1 with Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

  • Attack vector is network.
  • Attack complexity is low.
  • Privileges required is none.
  • User interaction is none.
  • Scope is unchanged.
  • Impact of this vulnerability on data confidentiality is none.
  • Impact of this vulnerability on data integrity is high.
  • Impact of this vulnerability on data availability is high.

QNAP has patched this vulnerability.
Querying Shodan shows numerous QNAP devices, many of which many are still vulnerable.

SonicWall Capture Labs provides protection against this threat via following signature:

  • IPS 15790:QNAP Photo Station Externally Controlled Reference

Threat Graph