Security researchers have discovered a fatal zero-click bug in the Synology Graphics app

If you own a Synology NAS drive, you’ll want to update your device as soon as possible. As first reported by It has stringsa group of Dutch security researchers recently identified a click-through vulnerability within the Synology graphics application. For those who don’t know, such bugs allow hackers to compromise a system without the user needing to click something first. To make matters worse, the app comes pre-installed and enabled by default on Synology’s consumer line of Bee network storage devices. It’s also a popular download among those who use the company’s DiskStation programs.

Midnight Blue, the cybersecurity firm that discovered the vulnerability, estimates that millions of Synology users could be at risk. Although the company has released a security patch to address the bug, its NAS devices do not automatically follow updates. “It is not a small thing to find [the vulnerability] alone, independently,” said Carlo Meijer, one of the researchers It has strings. “But it’s much easier to find and connect the dots when the patch is removed, and then undo the patch.”

According to Midnight Blue, zero clicks are found in a part of the Synology Photos app that does not require authentication. As a result, attackers can exploit the bug directly on the Internet and without needing to go through the gateway first. They can gain root access and install malicious code on a compromised device. At that point, there’s not much a malicious person couldn’t do, as the company notes that it’s possible to turn an infected device into a robot. The possibility that a ransomware gang is targeting Synology devices is not just speculation. Earlier this year, DiskStation users reported that they were victims of ransomware attacks.