← back
CVE-2019-7193

CVE-2019-7193

CVSS 9.8 CRITICALEPSS 14.4%● KEVCWE-20
Vexday Risk Score
83Fix now
SSVC decision (CISA)
Act
Exploitation + impact → act immediately
CVSS 9.8EPSS 14.4%KEV simPoC públicaNuclei Metasploit Patch
Lifecycle
05 Dec 2019Published on NVD
08 Jun 2022Active exploitation (CISA KEV)
Recommendation: Patch as soon as possible — active exploitation confirmed.
In short

A QNAP NAS system fails to properly validate user input, allowing remote attackers to inject and execute arbitrary code without needing to be logged in. This is a critical flaw because it gives attackers complete control over the device.

Technical detail

CWE-20 improper input validation vulnerability in QNAP QTS enables remote code injection via unvalidated input parameters. The attack vector is network-based with no authentication requirement; exploitation allows arbitrary code execution with system privileges. QNAP mitigation requires updating to patched QTS versions.

Summary generated and translated by AI from the official description.
This improper input validation vulnerability allows remote attackers to inject arbitrary code to the system. To fix the vulnerability, QNAP recommend updating QTS to their latest versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · QNAP NAS devices
public PoCs found1
cve_referencepacketstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7193https://www.qnap.com/zh-tw/security-advisory/nas-201911-25