10
CVE-2022-27593
- EPSS 93.42%
- Published 08.09.2022 11:15:19
- Last modified 12.02.2025 20:57:32
- Source security@qnapsecurity.com.tw
- Teams watchlist Login
- Open Login
An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later
Data is provided by the National Vulnerability Database (NVD)
Qnap ≫ Photo Station Version < 5.2.14
Qnap ≫ Photo Station Version < 5.4.15
Qnap ≫ Photo Station Version < 5.7.18
Qnap ≫ Photo Station Version < 6.0.22
Qnap ≫ Photo Station Version < 6.1.2
08.09.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog
QNAP Photo Station Externally Controlled Reference Vulnerability
VulnerabilityCertain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign.
DescriptionApply updates per vendor instructions.
Required actions| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 93.42% | 0.998 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 9.1 | 3.9 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
|
| security@qnapsecurity.com.tw | 10 | 3.9 | 6 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
|
CWE-610 Externally Controlled Reference to a Resource in Another Sphere
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.