An externally controlled reference to a resource vulnerability has been reported to affect QNAP NAS running Photo Station. If exploited, This could allow an attacker to modify system files. We have already fixed the vulnerability in the following versions: QTS 5.0.1: Photo Station 6.1.2 and later QTS 5.0.0/4.5.x: Photo Station 6.0.22 and later QTS 4.3.6: Photo Station 5.7.18 and later QTS 4.3.3: Photo Station 5.4.15 and later QTS 4.2.6: Photo Station 5.2.14 and later
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:HQnap Photo Station
APPQnap< 6.0.22< 5.4.15< 6.1.2< 5.7.18< 5.2.14Qnap Qts
OSQnap4.2.64.3.34.3.65.0.05.0.14.5.1 – 4.5.4.2012
CISA KEV — detailsi
- Vendori
- QNAP
- Producti
- Photo Station
- Added to KEVi
- September 8, 2022
- Remediation deadline (US Federal)i
- September 29, 2022(overdue)
- Ransomwarei
- Active ransomware campaigns exploit this vulnerability
Apply updates per vendor instructions.
Certain QNAP NAS running Photo Station with internet exposure contain an externally controlled reference to a resource vulnerability which can allow an attacker to modify system files. This vulnerability was observed being utilized in a Deadbolt ransomware campaign.
Related vulnerabilities
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync...
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerabil...
If exploited, this command injection vulnerability could allow remote attackers to run arbitrary commands. QNA...
This improper input validation vulnerability allows remote attackers to inject arbitrary code to the system. T...
This improper access control vulnerability allows remote attackers to gain unauthorized access to the system. ...