LiveActive security incident?Get immediate response
CVE Record

CVE-2017-20210: Photo Station

Photo Station 5.4.1 & 5.2.7 include the security fix for the vulnerability related to the XMR mining programs identified by internal research.

CriticalCVSS 9.8Not KEV-listedUpdated
Glexia's TakeAutomated analysishigh

Security readout for executives and security teams

Plain-English summary

QNAP fixed a serious flaw in its Photo Station app for NAS storage devices that, before the fix, was abused to plant Monero (XMR) cryptocurrency mining programs on customers' devices. Devices reachable over the network with vulnerable Photo Station could be taken advantage of by attackers without needing a password.

Executive priority

Patch QNAP Photo Station promptly on any NAS exposed to the internet; historically these flaws were abused to plant cryptocurrency miners on home and small-business storage devices.

Technical view

CVE-2017-20210 affects QNAP Photo Station 5.4.x and 5.2.x, fixed in 5.4.1 and 5.2.7. CVSS:3.1 9.8 (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H) with CWE-200. QNAP's advisory ties the fix to attacks that deployed XMR mining programs on affected NAS devices. The bundle does not specify the precise root cause beyond information exposure.

Likely exposure

QNAP NAS appliances running Photo Station 5.4.x before 5.4.1 or 5.2.x before 5.2.7, particularly those reachable from the internet via myQNAPcloud, port-forwarding, or UPnP. Internal-only deployments are lower exposure but still affected if untrusted users can reach the web UI.

Exploitation context

The CVSS vector indicates network-reachable, unauthenticated attack with no user interaction. The QNAP advisory and CVE description tie this fix to XMR (Monero) cryptocurrency mining programs observed by QNAP's internal research, but the record does not assert active KEV-listed exploitation.

Researcher notes

CVE record is terse and maps to QNAP advisory NAS-201705-04. CWE-200 (information exposure) appears under-scoped given the CVSS:3.1/9.8 vector and the XMR-miner abuse pattern, suggesting the underlying weakness may include unauthenticated access leading to code execution or file write. Affected versions are stated as "5.4.x" and "5.2.x" with fixes in 5.4.1 and 5.2.7; treat any earlier build in those branches as vulnerable. No KEV listing and no public PoC referenced in the bundle; confidence is low pending vendor advisory review.

Mitigation direction

  • Upgrade Photo Station to 5.4.1, 5.2.7, or later as directed by the QNAP advisory.
  • Restrict NAS web services to trusted networks; disable internet exposure of Photo Station where not required.
  • Disable or uninstall Photo Station on NAS devices that do not need it.
  • Apply latest QTS firmware and review QNAP security advisory NAS-201705-04 for any related guidance.
  • Rotate NAS administrator credentials and review account list after patching.

Validation and detection

  • Inventory QNAP NAS devices and check Photo Station version in the App Center against 5.4.1 / 5.2.7.
  • Audit firewall, router, and myQNAPcloud settings for any external exposure of NAS web services.
  • Review NAS process lists, scheduled tasks, and CPU usage for unexpected miner processes or unknown binaries.
  • Check QNAP system and access logs for anomalous Photo Station requests or new admin accounts.
  • Confirm patch status via QNAP advisory NAS-201705-04 release notes after upgrade.
Prepared
Confidence
low
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · medium confidence lookup

CWE-200: Information exposure and cloud metadata lookup

Information exposure and SSRF weaknesses can make discovery, cloud metadata, and credential material review relevant. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2017-20210 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Critical
CVSS
9.8 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
0Timeline events
0ADP providers
2Source links

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
9.8CVSS 3.1CriticalCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H3.95.9Primary CVE score

Vulnerability scoring details

Base CVSS 3.1 score

9.8Critical
CVSS 3.1 vector shape for CVE-2017-20210Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
QNAP Systems Inc.Photo Station5.4.x, 5.2.xunaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-200 · source CWE mapping

Exposure of Sensitive Information to an Unauthorized Actor

Exposure of Sensitive Information to an Unauthorized Actor represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.