- Synology patches critical zero-click vulnerabilities in NAS devices
- Attackers can exploit vulnerabilities without user interaction
- $260,000 was awarded to researchers for discovering exploits
Synology has recently patched a critical security flaw in its NAS device products which could have allowed hackers to hijack victim units.
The company released two advisories to notify users about patched vulnerabilities in its data storage products, specifically those in Photos for DMS and BeePhotos for BeeStation.
The identified issues, shown off at the recent Pwn2Own Ireland 2024 event, allowed for remote code execution, posing a serious threat as they enabled attackers to take control of affected devices without user interaction.
Critical vulnerabilities revealed
Remote code execution vulnerabilities are especially dangerous as they give attackers the ability to execute arbitrary commands on the device, putting sensitive data at risk.
By addressing these flaws, Synology has ensured users who apply the updates can better protect their devices from potential attacks, as this not only prevents potential remote access, but also reduces the likelihood of ransomware, data theft, and other types of attacks that exploit NAS vulnerabilities.
Devices storing sensitive information are often connected to the internet, therefore they are usually susceptible to attacks. To guard against malicious actors, it is important to employ regular security patches.
Organized by Trend Micro’s Zero Day Initiative (ZDI), Pwn2Own Ireland 2024 awarded over $1 million to white-hat hackers who successfully demonstrated exploits across devices, including NAS systems, cameras, and smart speakers.
Synology was one of the companies with security flaws with its products earning researchers $260,000 in total for their discovered vulnerabilities. The company quickly responded to the competition findings and addressed critical flaws in its products.
Via SecurityWeek
