- Synology has fixed a zero-click error found in multiple NAS products
- This type of flaw can be exploited without victim intervention, making it particularly dangerous
- Technical details have not been disclosed to give customers time to respond
Top Network-Attached Storage (NAS) manufacturers Synology has patched a critical vulnerability that could allow threat actors to remotely execute malicious code on affected endpoints.
The vulnerability is tracked as CVE-2024-10443 and was found in DiskStation and BeePhotos. It was demonstrated at the recent Pwn2Own Ireland 2024 hackathon, where it was described as a zero-click bug and named RISK:STATION.
A zero-click flaw is a security vulnerability that can be exploited without any interaction from the victim, such as clicking a link or opening an attachment. Attackers can use zero-click errors to compromise remote devices by simply sending a malicious message or file, making them extremely dangerous and difficult to detect.
No evidence of abuse
RISK:STATION has been found in multiple versions of the above products:
BeePhotos for BeeStation OS 1.0
BeePhotos for BeeStation OS 1.1
Synology Photos 1.6 for DSM 7.2
Synology Photos 1.7 for DSM 7.2
Because the vulnerability could lead to device takeover, data loss and worse, the details have been withheld to give the majority of users time to respond and to prevent hackers from easily exploiting it.
Since the patch was already available, users are advised to apply it immediately or risk losing sensitive data to threat actors. So far, there’s no evidence of misuse in the wild or Proof-of-Concepts (PoC), so it’s safe to assume the crooks haven’t picked up the trail yet.
NAS instances are an attractive target for cybercriminals because they often contain vast amounts of sensitive data, including personal files, business documents and backups.
Because NAS devices are often connected to networks and sometimes accessible over the Internet, they can be vulnerable to ransomware, data theft, and other attacks if not properly secured, giving attackers potential leverage for extortion or data exploitation.
Via The hacker news