Security readout for executives and security teams
Plain-English summary
QNAP fixed a serious flaw in its Photo Station app for NAS storage devices that, before the fix, was abused to plant Monero (XMR) cryptocurrency mining programs on customers' devices. Devices reachable over the network with vulnerable Photo Station could be taken advantage of by attackers without needing a password.
Executive priority
Patch QNAP Photo Station promptly on any NAS exposed to the internet; historically these flaws were abused to plant cryptocurrency miners on home and small-business storage devices.
Technical view
CVE-2017-20210 affects QNAP Photo Station 5.4.x and 5.2.x, fixed in 5.4.1 and 5.2.7. CVSS:3.1 9.8 (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H) with CWE-200. QNAP's advisory ties the fix to attacks that deployed XMR mining programs on affected NAS devices. The bundle does not specify the precise root cause beyond information exposure.
Likely exposure
QNAP NAS appliances running Photo Station 5.4.x before 5.4.1 or 5.2.x before 5.2.7, particularly those reachable from the internet via myQNAPcloud, port-forwarding, or UPnP. Internal-only deployments are lower exposure but still affected if untrusted users can reach the web UI.
Exploitation context
The CVSS vector indicates network-reachable, unauthenticated attack with no user interaction. The QNAP advisory and CVE description tie this fix to XMR (Monero) cryptocurrency mining programs observed by QNAP's internal research, but the record does not assert active KEV-listed exploitation.
Researcher notes
CVE record is terse and maps to QNAP advisory NAS-201705-04. CWE-200 (information exposure) appears under-scoped given the CVSS:3.1/9.8 vector and the XMR-miner abuse pattern, suggesting the underlying weakness may include unauthenticated access leading to code execution or file write. Affected versions are stated as "5.4.x" and "5.2.x" with fixes in 5.4.1 and 5.2.7; treat any earlier build in those branches as vulnerable. No KEV listing and no public PoC referenced in the bundle; confidence is low pending vendor advisory review.
Mitigation direction
- Upgrade Photo Station to 5.4.1, 5.2.7, or later as directed by the QNAP advisory.
- Restrict NAS web services to trusted networks; disable internet exposure of Photo Station where not required.
- Disable or uninstall Photo Station on NAS devices that do not need it.
- Apply latest QTS firmware and review QNAP security advisory NAS-201705-04 for any related guidance.
- Rotate NAS administrator credentials and review account list after patching.
Validation and detection
- Inventory QNAP NAS devices and check Photo Station version in the App Center against 5.4.1 / 5.2.7.
- Audit firewall, router, and myQNAPcloud settings for any external exposure of NAS web services.
- Review NAS process lists, scheduled tasks, and CPU usage for unexpected miner processes or unknown binaries.
- Check QNAP system and access logs for anomalous Photo Station requests or new admin accounts.
- Confirm patch status via QNAP advisory NAS-201705-04 release notes after upgrade.
Public sources used
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
CWE-200: Information exposure and cloud metadata lookup
Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Open ATT&CK lookupCVE-2017-20210 mapping review
Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.
Open ATT&CK lookup- Severity
- Critical
- CVSS
- 9.8 (3.1)
- Known Exploited
- No
- Published
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CNA and ADP enrichment extracted from CVE v5
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
CVSS vector scores
1 official scoreWe collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H3.95.9Primary CVE scoreVulnerability scoring details
Base CVSS 3.1 score
9.8CriticalVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source materials
- CVE List V5 sourceCVE List V5
- https://www.qnap.com/en-in/security-advisory/nas-201705-04CVE reference
Products and packages named in the record
CWE details
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
Exposure of Sensitive Information to an Unauthorized Actor
Exposure of Sensitive Information to an Unauthorized Actor represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
