Zero-Click Flaw Exposes Potentially Millions of Popular Storage Devices to Attack

By tazz 0 comments April 18, 2025

Zero-Click Flaw Exposes Potentially Millions of Popular Storage Devices to Attack

A popular device and application used by millions of individuals and businesses around the world to store documents is vulnerable to a zero-click flaw, a group of Dutch researchers have discovered.

The vulnerability, which is called zero-click because it doesn’t require a user to click on anything to be infected, affects a photo application installed by default on popular network-attached storage (NAS) devices made by the Taiwanese firm Synology. The bug would allow attackers to gain access to the devices to steal personal and corporate files, plant a backdoor, or infect the systems with ransomware to prevent users from accessing their data.

The SynologyPhotos application package comes preinstalled and enabled by default on Synology’s line of BeeStation storage devices but is also a popular application downloaded by users of its DiskStation storage systems, which allow users to augment their storage capacity with removable components. Several ransomware groups have targeted network-attached storage devices made by Synology and others in recent years, going back to at least 2019. Earlier this year, users of Synology’s DiskStation system specifically reported being hit with ransomware.

Rick de Jager, a security researcher at Midnight Blue in the Netherlands, discovered the vulnerability in two hours as part of the Pwn2Own hacking contest in Ireland. He and colleagues Carlo Meijer, Wouter Bokslag, and Jos Wetzels conducted a scan of internet-connected devices and uncovered hundreds of thousands of Synology NASes connected online that are vulnerable to the attack. The researchers say, however, that millions of other devices are potentially vulnerable and accessible to the attack.

They, along with the Pwn2Own organizers, notified Synology about the vulnerability last week.

Network-attached storage systems are considered high-value targets for ransomware operators because they store large volumes of data. Many users connect them directly to the internet from their own networks or use Synology’s cloud storage to back up data to these systems online. The researchers tell WIRED that while the systems can be set up with a gateway that requires credentials to access them, the part of the photo application that contains the zero-click vulnerability does not require authentication, so attackers can exploit the vulnerability directly over the internet without needing to bypass a gateway. The vulnerability gives them root access to install and execute any malicious code on the device.

The researchers also said the photo application, which helps users organize photos, provided easy access whether customers connect their NAS device directly to the internet themselves or through Synology’s QuickConnect service, which allows users to access their NAS remotely from anywhere. And once attackers find one cloud-connected Synology NAS, they can easily locate others due to the way the systems get registered and assigned IDs.

“There are a lot of these devices that are connected to a private cloud through the QuickConnect service, and those are exploitable as well, so even if you don’t directly expose it to the internet, you can exploit [the devices] through this service, and that’s devices in the order of millions,” says Wetzels.

The researchers were able to identify cloud-connected Synology NASes owned by police departments in the United States and France, as well as a large number of law firms based in the US, Canada, and France, and freight and oil tank operators in Australia and South Korea. They even found ones owned by maintenance contractors in South Korea, Italy, and Canada that work on power grids and in the pharmaceutical and chemical industries.

“These are firms that store corporate data … management documents, engineering documents and, in the case of law firms, maybe case files,” Wetzels notes.

The researchers say ransomware and data theft aren’t the only concern with these devices—attackers could also turn infected systems into a botnet to service and conceal other hacking operations, such as a massive botnet that Volt Typhoon hackers from China had built from infected home and office routers to conceal their espionage operations.

Synology did not respond to a request for comment, but the company’s web site posted two security advisories related to the issue on October 25, calling the vulnerability “critical.” The advisories, which confirmed that the vulnerability was discovered as part of the Pwn2Own contest, indicate that the company released patches for the vulnerability. Synology’s NAS devices do not have automatic update capability, however, and it’s not clear how many customers know about the patch and have applied it. With the patch released, it also makes it easier for attackers to now figure out the vulnerability from the patch and design an exploit to target devices.

“It’s not trivial to find [the vulnerability] on your own, independently,” Meijer tells WIRED, “but it is pretty easy to figure out and connect the dots when the patch is actually released and you reverse-engineer the patch.”