What vulnerability was found in Synology NAS devices?

A zero-click vulnerability was discovered in the SynologyPhotos application on Synology NAS devices, which allows attackers to access devices remotely without user interaction. Attackers can exploit this flaw to steal sensitive files, install backdoors, or deploy ransomware.

Who discovered the Synology NAS zero-click vulnerability?

Rick de Jager, a security researcher from Midnight Blue in the Netherlands, discovered the vulnerability during the Pwn2Own hacking contest held in Ireland.

What risks does this vulnerability pose to Synology NAS users?

This vulnerability enables attackers to remotely access Synology NAS devices, allowing them to steal personal or corporate files, install backdoors for continuous access, or infect systems with ransomware that locks users out of their data.

Which Synology NAS devices are affected by this vulnerability?

The vulnerability affects Synology NAS devices with the SynologyPhotos app installed, including BeeStation and DiskStation devices. Research scans indicate that hundreds of thousands of NAS devices may be vulnerable, with potential exposure for millions globally.

What sectors are at risk from this Synology NAS vulnerability?

Several critical sectors using Synology NAS systems are at risk, including police departments, law firms, power grid maintenance contractors, and organizations in the pharmaceutical and chemical production industries.

How can Synology NAS users protect their devices from this vulnerability?

Synology has released updates to address the vulnerability in their software. Users should immediately upgrade to the following versions: BeePhotos for BeeStation OS 1.1.0-10053 or above, BeePhotos for BeeStation OS 1.0.2-10026 or above, Synology Photos 1.7.0-0795 or above for DSM 7.2, and Synology Photos 1.6.2-0720 or above for DSM 7.2.

When did Synology release advisories about this vulnerability?

Synology posted two advisories on October 25, confirming the vulnerability's discovery at Pwn2Own and informing users of the patches available to secure affected systems.

Are the updates for Synology NAS devices applied automatically?

No, the updates to address this vulnerability are not automatically applied. Users must manually update their Synology NAS devices to the latest versions to prevent potential attacks.

Advisory

Security researcher reports critical zero-click flaws in Synology products

published: Nov. 1, 2024

Take action: If you are running Synology NAS, update your BeePhotos for BeeStation OS and Synology Photos IMMEDIATELY. There is a full exploit writeup and huge numbers of Synlogy NAS devices are either exposed to the internet or widely accessible to a lot of people.

Learn More

Synology NAS devices, widely used for document storage by individuals and businesses globally, have been found vulnerable to a zero-click exploit in their SynologyPhotos application, which is installed by default.

This vulnerability, tracked as CVE-2024-10443 (CVSS score not available) and dubbed RISK:STATION requires no user interaction to be exploited, allows attackers to access the devices remotely to:

Steal sensitive corporate or personal files,
Install a backdoor for ongoing access,
Infect systems with ransomware to lock users out of their data.

The vulnerability was discovered by Rick de Jager, a security researcher at Midnight Blue in the Netherlands, during the Pwn2Own hacking contest in Ireland.

He and fellow researchers found that the SynologyPhotos app, preinstalled on BeeStation devices and commonly used on DiskStation devices, has an unauthenticated access flaw.

Research scans revealed hundreds of thousands of potentially affected NAS devices, with estimates suggesting millions could be vulnerable. Additionally, Synology NAS systems used by critical sectors, including police departments, law firms, and contractors in industries like power grid maintenance, pharmaceutical, and chemical production, were identified as connected and accessible online.

Synology posted two advisories about this critical vulnerability on October 25, confirming the discovery at Pwn2Own and releasing patches. Users may not be aware of the update or have installed it, leaving many devices exposed.

Synology says it addressed the vulnerabilities in the following software releases; however, they're not automatically applied on vulnerable systems, and customers are advised to update as soon as possible to block potential incoming attacks:

BeePhotos for BeeStation OS 1.1: Upgrade to 1.1.0-10053 or above
BeePhotos for BeeStation OS 1.0: Upgrade to 1.0.2-10026 or above
Synology Photos 1.7 for DSM 7.2: Upgrade to 1.7.0-0795 or above.
Synology Photos 1.6 for DSM 7.2: Upgrade to 1.6.2-0720 or above.

Users should upgrade their systems immediately.

Security researcher reports critical zero-click flaws in Synology products

Read More
Google releases Android August patches, fixes at least …
Mozilla Releases Security Updates for Firefox and Thunderbird
Researcher Leaks 'BlueHammer' Windows Zero-Day Exploit Following MSRC …
Apple Magic Keyboard receives security update, wise to …
Google Issues Chrome Update for High-Severity Vulnerabilities