← back
CVE-2019-7193

CVE-2019-7193

CVSS 9.8 CRITICALEPSS 14.4%● KEVCWE-20
In short

A QNAP NAS system fails to properly validate user input, allowing remote attackers to inject and execute arbitrary code without needing to be logged in. This is a critical flaw because it gives attackers complete control over the device.

Technical detail

CWE-20 improper input validation vulnerability in QNAP QTS enables remote code injection via unvalidated input parameters. The attack vector is network-based with no authentication requirement; exploitation allows arbitrary code execution with system privileges. QNAP mitigation requires updating to patched QTS versions.

Summary generated and translated by AI from the official description.
This improper input validation vulnerability allows remote attackers to inject arbitrary code to the system. To fix the vulnerability, QNAP recommend updating QTS to their latest versions.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
n/a · QNAP NAS devices
public PoCs found1
cve_referencepacketstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://packetstormsecurity.com/files/157857/QNAP-QTS-And-Photo-Station-6.0.3-Remote-Command-Execution.htmlhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-7193https://www.qnap.com/zh-tw/security-advisory/nas-201911-25