neowin[.]net/news/a-security-flaw-in-synologys-photos-app-exposes-users-to-zero-click-attacks/
Zero-click means that those with an effected Synology NAS [Network Attached Storage] device don't have to do anything -- do not have to click a link or open a file or run an app -- to become compromised. Obviously this is the worst type of vulnerability. Synology has released a patch, but it has to be downloaded and installed manually. The patch release also means that cyber criminals can & will reverse engineer the patch to find out just how to exploit the flaw.
A newly identified Remote Code Execution (RCE) vulnerability in Synology’s network-attached storage (NAS) devices has placed millions of users at risk, allowing attackers to remotely access these systems without any interaction from users.Categorised as a “zero-click” vulnerability, this flaw enables attackers to exploit Synology devices without requiring the user to open files or click on links. The issue originates from two applications: Synology Photos (Synology-SA-24:19) and BeePhotos (Synology-SA-24:18), both of which come pre-installed and enabled by default on Synology’s consumer line of Bee network storage devices. The Photos app is also a popular download among users of the DiskStation systems.
With this level of access, attackers could steal sensitive data, install ransomware to block user access, or even install backdoors for long-term exploitation. Midnight Blue’s researchers found that the vulnerability could be exploited whether a Synology NAS device is directly connected to the internet or accessed remotely through the company's QuickConnect service, which many users rely on for convenient remote access.In their analysis, the Midnight Blue team scanned for internet-connected NAS devices and identified hundreds of thousands of vulnerable Synology systems, estimating that millions of devices in total could be affected. Their scan revealed potentially vulnerable systems in use by law enforcement agencies, law firms, and contractors in critical sectors, such as power grid maintenance, pharmaceuticals, and freight operations.