Synology tells NAS device users to patch immediately following zero-day reveal
published 6 November 2024
New vulnerability can be exploited without any user interaction
- Synology has patched a zero-click flaw found in multiple NAS products
- This type of flaw can be exploited with no victim interaction, making it particularly dangerous
- Technical details were not disclosed to give customers time to react
Top network-attached storage (NAS) makers Synology has patched a critical severity vulnerability which could have allowed threat actors to remotely execute malicious code on affected endpoints.
The vulnerability is tracked as CVE-2024-10443, and was found in DiskStation and BeePhotos. It was showcased during the recent Pwn2Own Ireland 2024 hackathon, where it was described as a zero-click flaw, and dubbed RISK:STATION.
A zero-click flaw is a security vulnerability that can be exploited without any interaction from the victim, like clicking a link or opening an attachment. Attackers can use zero-click flaws to remotely compromise devices simply by sending a malicious message or file, making them particularly dangerous and difficult to detect.
No evidence of abuse
RISK:STATION was found affecting multiple versions of the above mentioned products:
BeePhotos for BeeStation OS 1.0
BeePhotos for BeeStation OS 1.1
Synology Photos 1.6 for DSM 7.2
Synology Photos 1.7 for DSM 7.2
As the vulnerability can lead to device takeover, loss of data, and worse, the details have been withheld to give the majority of users time to react, and to prevent hackers from easily exploiting it.
Since the patch was already made available, users are advised to apply it immediately, or risk losing sensitive data to threat actors. So far, there has been no evidence of in-the-wild abuse or Proof-of-Concepts (PoC), so it’s safe to assume the crooks haven’t picked the trail up just yet.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
NAS instances are an attractive target for cybercriminals because they often hold vast amounts of sensitive data, including personal files, business documents, and backups.
Since NAS devices are frequently connected to networks and sometimes accessible over the internet, they can be vulnerable to ransomware, data theft, and other attacks if not properly secured, providing attackers with potential leverage for extortion or data exploitation.
Via The Hacker News
You might also like
- Top NAS devices are being targeted by this dangerous malware
- Here’s a list of the best firewalls today
- These are the best endpoint protection tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Google Cloud is making multi-factor authentication mandatory for all users
The FBI wants the public to help it track down Chinese hackers
Future Apple Watches could get a genius way to track your health, thanks to smart straps
Most Popular
-
1Synology tells NAS device users to patch immediately following zero-day reveal
-
2Future Apple Watches could get a genius way to track your health, thanks to smart straps
-
3Google Cloud is making multi-factor authentication mandatory for all users
-
4I tried the iPad mini 7 and it’s the perfect (and cheapest) device for Apple Intelligence
-
5Which Roomba should I buy? A simple guide to the different robot vacuum options