Vulnerability identifier: #VU28115

Vulnerability risk: High

CVSSv3.1: 9.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C]

CVE-ID: CVE-2019-7193

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
QNAP QTS
Server applications / File servers (FTP/HTTP)
Photo Station
Client/Desktop applications / Other client software

Vendor: QNAP Systems, Inc.

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and execute arbitrarycode on the target system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

QNAP QTS: 4.4.0.0752 20181112 - 4.4.1.1033 20190818, 4.3.3 - 4.3.6.1033 20190813, 4.2.6 2018082 - 4.2.6 20200421

Photo Station: 6.0.0 - 6.0.2, 5.7.0 - 5.7.9, 5.4.0 - 5.4.8, 5.2.0 - 5.2.10

---

External links
http://www.qnap.com/zh-tw/security-advisory/nas-201911-25

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.