CVE-2022-27593
Published on September 8, 2022

An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later

Vendor Advisory NVD

Known Exploited Vulnerability

This QNAP Photo Station Externally Controlled Reference Vulnerability is part of CISA's list of Known Exploited Vulnerabilities. Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign.

The following remediation steps are recommended / required by September 29, 2022: Apply updates per vendor instructions.

Vulnerability Analysis

CVE-2022-27593 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. It has the highest possible exploitability rating (3.9). The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, a high impact on integrity and availability.

Externally Controlled Reference to a Resource in Another Sphere

The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.


Products Associated with CVE-2022-27593

You can be notified by stack.watch whenever vulnerabilities like CVE-2022-27593 are published in these products:

What versions are vulnerable to CVE-2022-27593?

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.

Each of the following must match for the vulnerability to exist.