450,000 QNAP Devices Remain Vulnerable to Documented RCE Flaws

Written by Bill Toulas
Last updated September 23, 2021

Researcher Henry Huang warns about the fact that approximately 450,000 QNAP NAS instances that are indexed by Shodan remain vulnerable to the highly critical exploit chain consisting of CVE-2019–7192, CVE-2019–7193, CVE-2019–7194, and CVE-2019–7195. The researcher has scanned random samples of the 564k QNAP instances and found that 80% of them have “Photo Station” enabled, so by a statistical estimation, the number of vulnerable instances is approximately 450,000. All Photo Station versions below 6.0.3, 5.2.11, and 5.4.9 are vulnerable to the exploit chain mentioned above. QNAP had published a security advisory for this way back in November 2019.

QTS administrators are advised to log in, go to Control Panel > System > Firmware Update, click on the “Check for Update” under the Live Update tab, and let the system do the rest. Alternatively, you may visit the QNAP website, go to Support > Download Center, and then pick the right firmware pack for your specific device. On the Photo Station, admins may find the update on the “App Center,” which can fetch and install the latest available update automatically.

So, what is the danger exactly? Photo Station is an online photo album where users may upload, organize, and share photos and videos with others (family members, friends, colleagues). It supports image tags, slideshows, date filters, sharing history, GPS mapping, timeline, and more. The problem is that someone can access these instances without having to authenticate, thus accessing the personal files of other people. The first flaw concerns an API exploitation where an attacker can replace the album ID of a private collection with that of a publicly accessible album meant to be used in samples. This is a bypassing trick that results in information disclosure and eventually leads to privilege escalation.

sample album




Other vulnerabilities include the injection of arbitrary PHP code to the session for authentication tampering, while the other two concern the writing of code to random locations. All four have been reported to QNAP last summer, and the company pushed fixing updates on December 12, 2019. This is the first time that the proof of concept code has been published, thus, if you still haven’t upgraded your QNAP, do it immediately. There are about 450,000 vulnerable instances still indexed online, so crooks will now engage in a race to try accessing and possibly even downloading as many albums as possible.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: