Synology Fixes Critical Vulnerabilities in Synology Photos and BeePhotos After Pwn2Own Exposure
Synology has released security updates to address critical vulnerabilities in Synology Photos and BeePhotos, its photo management applications for network-attached storage (NAS), and personal cloud storage devices, respectively.
The vulnerabilities, collectively identified as ZDI-CAN-25623, were successfully exploited at the Pwn2Own 2024 hacking competition, demonstrating the potential for remote code execution on affected devices. This exploit, developed by security researchers Pumpkin Chang and Orange Tsai from the DEVCORE Research Team, leveraged a chain of vulnerabilities, including a CRLF injection, an authentication bypass, and a SQL injection, to gain complete control of a Synology BeeStation device.
In response to this discovery, Synology has issued two security advisories detailing the vulnerabilities and urging users to update their software immediately. Updates are available for both Synology Photos and BeePhotos, addressing the identified vulnerabilities and mitigating the risk of remote compromise.
Vulnerability Impact and Remediation
The successful exploitation of these vulnerabilities could have severe consequences for users, including:
- Data breaches: Attackers could gain unauthorized access to sensitive data stored on the devices.
- Service disruption: Compromised devices could be used to disrupt or deny access to critical services.
- Malware propagation: Attackers could leverage compromised devices to spread malware to other systems on the network.
To address these risks, Synology has released the following updates:
- Synology Photos: Versions 1.7.0-0795 and 1.6.2-0720 for DiskStation Manager (DSM) 7.2
- BeePhotos: Versions 1.1.0-10053 and 1.0.2-10026 for BeeStation devices
Synology strongly recommends that all users apply these updates as soon as possible to ensure the security of their data and systems.
Related Posts:
- Critical Flaw in Synology Camera Firmware Expose Devices to RCE and DoS Attacks
- Synology Camera Critical Vulnerabilities Patched: Upgrade Immediately
- Synology Surveillance Station Vulnerabilities Expose Systems to Attack – Update Immediately
- Critical Vulnerability in Synology VPN Plus Server software
- Beware of Fake AI Photo Editors on Social Media: Malvertising Campaign Targets Credentials
