Synology Urges Patch for Critical Zero-Click RCE Flaw Affecting Millions of NAS Devices

Synology, a Taiwanese manufacturer of network-attached storage (NAS) appliances, has addressed a critical security vulnerability known as CVE-2024-10443, nicknamed RISK:STATION. This flaw affects Synology’s DiskStation and BeePhotos and poses a significant risk of remote code execution. The severity of the vulnerability was highlighted by its demonstration at the Pwn2Own Ireland 2024 hacking contest by security researcher Rick de Jager.

The RISK:STATION vulnerability is classified as an “unauthenticated zero-click” exploit, allowing malicious actors to execute root-level code on millions of exposed Synology devices without any required user interaction. This characteristic enhances the threat level, as attackers can potentially access sensitive data and deploy additional malware on the affected systems seamlessly.

Currently, the vulnerability is impacting numerous versions of Synology’s products, placing approximately one to two million devices at risk. To mitigate the threat, Synology has withheld specific technical details regarding the flaw until users can implement necessary patches, emphasizing the urgency for affected customers to update their systems.

In tandem with Synology’s issues, QNAP has also released patches for three critical vulnerabilities identified during the same Pwn2Own contest that could have implications for their networked devices. These vulnerabilities, identified as CVE-2024-50389, CVE-2024-50387, and CVE-2024-50388, have been addressed in recent updates for QuRouter, SMB Service, and HBS 3 Hybrid Backup Sync, respectively.

Despite the seriousness of these vulnerabilities, there is currently no evidence suggesting they have been actively exploited in real-world scenarios. However, experts advise that users apply the available patches promptly due to the history of NAS devices being prime targets for ransomware attacks and other cyber threats.

The situation underscores the importance of proactive security measures and the need for users to stay vigilant and responsive to emerging vulnerabilities, particularly in light of growing attacks aimed at storage solutions like NAS devices that house sensitive and critical data.