CVE-2022-27593

What is QNAP Photo Station?

QNAP Photo Station is a web-based photo management and sharing application bundled with QNAP Network-Attached Storage (NAS) devices. It allows users to organize, share, and view photos stored on their NAS from a web browser or mobile device. QNAP NAS devices running Photo Station are often directly connected to the internet to allow remote photo access, making internet-facing Photo Station instances a large attack surface. QNAP NAS devices are widely used by small businesses and consumers for network storage, making them attractive targets for ransomware operators seeking to encrypt business-critical or personal data.

Overview

CVE-2022-27593 is a critical externally controlled reference vulnerability (CWE-610, CVSS 10.0) in QNAP Photo Station that allows an unauthenticated remote attacker to modify system files on the NAS device. By manipulating an externally controlled reference that Photo Station uses to access PHP files or other server-side resources, an attacker can overwrite files in the web application directory — enabling code execution. This vulnerability was actively exploited in a DeadBolt ransomware campaign that began around September 3, 2022. QNAP took the unusual step of force-pushing a patch to internet-exposed devices before publishing the advisory, in an effort to minimize the exploitation window. CVSS 10.0 (scope changed).

Affected Versions

QNAP also recommends migrating to the QuMagie photo application, which is not affected by this vulnerability.

Technical Details

The vulnerability (CWE-610: Externally Controlled Reference to a Resource in Another Sphere) occurs when the Photo Station application processes a user-supplied input that specifies or influences a reference to a server-side resource — such as a PHP include path, file path, or internal URL — without sufficient validation.

An unauthenticated attacker can craft an HTTP request that manipulates this reference to:

1. Point to an attacker-controlled external resource (a server the attacker controls)
2. Cause the NAS to fetch or process the attacker's content as if it were a trusted server-side file
3. Overwrite or inject content into the web application's PHP files or other executable resources
4. Achieve remote code execution with the web server process privileges

The CVSS score of 10.0 with scope changed reflects that the vulnerability crosses a security boundary — successful exploitation affects resources beyond the Photo Station application itself, impacting the underlying NAS operating system.

Discovery

The vulnerability was identified by QNAP's internal security team in response to intelligence about active DeadBolt ransomware activity. QNAP's response was unusually proactive: rather than waiting for a formal advisory cycle, QNAP force-deployed the patch to internet-exposed Photo Station installations automatically, prior to public disclosure. The KEV addition and advisory were published simultaneously on September 8, 2022 — after the patch was already deployed to reduce the window for exploitation.

Exploitation Context

DeadBolt is a ransomware strain that has exclusively targeted QNAP and ASUSTOR NAS devices in multiple distinct campaigns throughout 2022. The operators demonstrated intimate knowledge of QNAP's product line and exploited multiple QNAP vulnerabilities in succession:

• January 2022: DeadBolt exploited an unknown vulnerability in Photo Station
• June 2022: Exploited CVE-2022-27593 precursor vulnerabilities in QNAP Surveillance Station
• September 2022: CVE-2022-27593 campaign — thousands of NAS devices encrypted within days of the patch

Unlike enterprise ransomware that targets corporate networks, DeadBolt specifically encrypts files stored on NAS devices and leaves a ransom note directly in the storage, demanding Bitcoin payments (typically 0.03 BTC per victim). The operators also offered to sell the zero-day exploit details to QNAP for a larger sum (5 BTC), a novel extortion tactic targeting the vendor directly.

The ransomwareUse: true designation reflects that this vulnerability served as the initial access vector for a large-scale ransomware campaign.

Remediation

1. Update Photo Station immediately: Install the patched version for your QTS firmware version per QSA-22-24. QNAP may have auto-applied this update to internet-exposed devices, but verify your Photo Station version manually.
2. Migrate to QuMagie: QNAP recommends replacing Photo Station with their newer QuMagie photo management application, which has a more secure architecture and is not vulnerable to this issue.
3. Disable UPnP and port forwarding: Audit your router's UPnP settings to ensure your NAS management interfaces and Photo Station are not directly internet-accessible. Use QNAP's myQNAPcloud service or a VPN for remote access instead.
4. Enable QNAP Security Counselor: QNAP's built-in Security Counselor can audit your device for security misconfigurations.
5. Verify no ransomware infection: If your NAS was internet-exposed prior to patching, check for DeadBolt ransom notes (typically a modified index.html in shared folders) and unexpected file encryption.
6. Offline backups: Maintain at least one backup copy of NAS data on media that is not permanently connected to the network (external drive, cloud with versioning), as ransomware operators specifically target NAS backup repositories.