PatchSiren

PatchSiren cyber security CVE debrief

CVE-2019-7195 QNAP CVE debrief

CVE-2019-7195 is a QNAP Photo Station path traversal vulnerability that CISA has listed in the Known Exploited Vulnerabilities catalog. The KEV entry marks it as actively exploited and notes known ransomware campaign use. CISA’s required action is to apply updates per vendor instructions, with a due date of 2022-06-22 based on the 2022-06-08 KEV addition.

Vendor
QNAP
Product
Photo Station
CVSS
Unknown
CISA KEV
Listed
Original CVE published
2022-06-08
Original CVE updated
2022-06-08
Advisory published
2022-06-08
Advisory updated
2022-06-08

Who should care

Organizations that operate QNAP Photo Station deployments should treat this as a high-priority remediation item, especially if the system is exposed to untrusted users or the internet. Security teams responsible for patching, asset inventory, and incident response should confirm whether any affected QNAP devices are present and update them according to vendor guidance.

Technical summary

The public record supplied here identifies the issue as a path traversal vulnerability in QNAP Photo Station. The available source corpus does not include exploit mechanics, affected versions, or a vendor advisory, so the safest evidence-based summary is that the flaw is considered known-exploited by CISA and is associated with known ransomware campaign use. Because path traversal bugs can allow access outside intended file paths, the primary defensive concern is unauthorized file access or related abuse until vendor remediation is applied.

Defensive priority

Immediate. CISA placed this CVE in the KEV catalog and assigned a remediation due date of 2022-06-22, indicating urgent action is warranted for exposed or still-deployed systems.

Recommended defensive actions

  • Identify all QNAP Photo Station installations in the environment.
  • Check whether any deployed instance is affected by CVE-2019-7195 using official vendor guidance.
  • Apply vendor updates or mitigations as instructed by QNAP and CISA.
  • Prioritize externally reachable or business-critical systems for immediate remediation.
  • Verify patch status after remediation and document any systems that cannot be updated.
  • Review logs and incident-response monitoring for signs of suspicious access on affected devices.

Evidence notes

Evidence is limited to the supplied CISA KEV metadata and the linked official records. The source states: vendor Project QNAP, product Photo Station, vulnerability name "QNAP Photo Station Path Traversal Vulnerability," dateAdded 2022-06-08, dueDate 2022-06-22, knownRansomwareCampaignUse "Known," and requiredAction "Apply updates per vendor instructions." No additional technical details were provided in the corpus, so unsupported impact or exploitation claims are intentionally omitted.

Official resources

CISA added CVE-2019-7195 to the Known Exploited Vulnerabilities catalog on 2022-06-08 and set a remediation due date of 2022-06-22. The supplied record also marks known ransomware campaign use as "Known."