November 1, 2024 By Fiza Ali
A newly identified Remote Code Execution (RCE) vulnerability in Synology’s network-attached storage (NAS) devices has placed millions of users at risk, allowing attackers to remotely access these systems without any interaction from users.
Categorised as a “zero-click” vulnerability, this flaw enables attackers to exploit Synology devices without requiring the user to open files or click on links. The issue originates from two applications: Synology Photos (Synology-SA-24:19) and BeePhotos (Synology-SA-24:18), both of which come pre-installed and enabled by default on Synology’s consumer line of Bee network storage devices. The Photos app is also a popular download among users of the DiskStation systems.
Dutch cybersecurity firm Midnight Blue discovered the vulnerability during the annual Pwn2Own hacking contest organised by the Zero Day Initiative, and estimates that millions of Synology users may be at risk from this RCE flaw, located in a part of the Photos and BeePhotos apps that do not require authentication.
