A Dutch security firm has discovered a critical “zero-click” vulnerability in Synology’s pre-installed Photos app, which affects millions of devices worldwide. The vulnerability allows attackers to gain root access and install malicious code without needing authentication.
Synology was notified about the issue immediately after it was reported at the Pwn2Own hacking contest in Ireland. A patch was made available within 48 hours, but users are advised to update their devices manually due to Synology NAS devices’ limited automatic update capabilities.
The “zero-click” vulnerability is particularly concerning as it enables attackers to exploit the device without needing to bypass a gateway or obtain authentication. To mitigate this risk, users are urged to upgrade their Photos apps and operating systems to the latest versions.
This discovery highlights the importance of software updates for personal data-rich devices like NAS machines, which were previously targeted by hackers in 2021. Western Digital’s My Book Live NAS products suffered a major attack due to two major vulnerabilities, emphasizing the need for timely patching and security measures.
Source: https://petapixel.com/2024/11/04