Synology, a Taiwanese network-attached storage (NAS) appliance maker, patched two critical zero-days exploited during last week’s Pwn2Own hacking competition within days.

Midnight Blue security researcher Rick de Jager found the critical zero-click vulnerabilities in the company’s Synology Photos and BeePhotos for BeeStation software.

While they’re yet to receive CVE IDs for easier tracking, Trend Micro’s Zero Day Initiative tracks both flaws under the ZDI-CAN-25623 tag.

As Synology explains in security advisories published two days after bugs were demoed at Pwn2Own Ireland 2024 to hijack a Synology BeeStation BST150-4T device, the security flaws enable remote attackers to execute arbitrary code on vulnerable NAS appliances exposed online.

The company says it addressed the vulnerabilities in the following software releases; however, they’re not automatically applied on vulnerable systems, and customers are advised to update as soon as possible to block potential incoming attacks:

• BeePhotos for BeeStation OS 1.1: Upgrade to 1.1.0-10053 or above
• BeePhotos for BeeStation OS 1.0: Upgrade to 1.0.2-10026 or above
• Synology Photos 1.7 for DSM 7.2: Upgrade to 1.7.0-0795 or above.
• Synology Photos 1.6 for DSM 7.2: Upgrade to 1.6.2-0720 or above.

QNAP, another Taiwanese NAS device manufacturer, patched two more critical zero-days exploited during the hacking contest within a week (in the company’s SMB Service and Hybrid Backup Sync disaster recovery and data backup solution).

While Synology and QNAP hurried out security updates, vendors are given 90 days until Trend Micro’s Zero Day Initiative releases details on bugs disclosed during the contest and usually take their time to release patches.

This is likely because NAS devices are commonly used to store sensitive data by both home and enterprise customers, and they’re also often exposed to Internet access for remote access. However, this makes them vulnerable targets for cybercriminals who exploit weak passwords or vulnerabilities to breach the systems, steal data, encrypt files, and extort owners by demanding ransoms to provide access to the lost files.

As Midnight Blue security researchers who demoed the Synology zero-days during Pwn2Own Ireland 2024 told cybersecurity journalist Kim Zetter (who first reported on the security updates), they found Internet-exposed Synology NAS devices on the networks of police departments in the U.S. and Europe, as well as critical infrastructure contractors from South Korea, Italy, and Canada, with millions of other devices potentially vulnerable to attacks.

QNAP and Synology have warned customers for years that devices exposed online are being targeted by ransomware attacks. For instance, eCh0raix ransomware (also known as QNAPCrypt), which first surfaced in June 2016, has been targeting such systems regularly, with two large-scale ones reported in June 2019 (against QNAP and Synology devices) and in June 2020 standing out.

In more recent attack waves, threat actors have also used other malware strains (including DeadBolt and Checkmate ransomware) and various security vulnerabilities to encrypt Internet-exposed NAS devices.