Security researchers discover a serious zero-click vulnerability in Synology's Photos app.

Synology NAS device owners urgently need to update their devices due to a zero-click vulnerability discovered in the Synology Photos app. This type of flaw allows hackers to infiltrate a system without any user interaction, meaning without clicking on any links. What’s concerning is that this app comes pre-installed and enabled by default on Synology's Bee network storage line, and it is quite popular among users of the company’s DiskStation systems.

The cybersecurity firm Midnight Blue, which identified the vulnerability, estimates that millions of Synology users could be at risk. Although the company has released a security patch to fix the issue, NAS devices do not automatically download updates. Carlo Meijer, one of the researchers, noted that "it's not trivial to discover [the vulnerability] independently," but explained that connecting the dots becomes easier once the patch is published and reverse engineering is conducted.

Midnight Blue states that this zero-click vulnerability is located in a section of the Synology Photos app that does not require authentication, allowing attackers to exploit the flaw directly over the internet without needing to bypass a gateway. This situation grants them root access and the ability to install malicious code on the compromised device. Once this is achieved, the attacker's options for action expand significantly; the infected device could even be turned into part of a botnet. The threat of a ransomware group targeting Synology devices is not just hypothetical; earlier this year, DiskStation users reported being victims of such an attack.