A widely used device and application for storing documents, trusted by millions of users and businesses globally, has been found to have a vulnerability. A team of Dutch researchers revealed that this zero-click flaw could potentially compromise many systems worldwide.

This flaw, termed "zero-click" because it requires no user interaction to trigger, affects Synology's photo application, a default program on network-attached storage (NAS) devices from the Taiwanese company. Through this vulnerability, attackers could gain unauthorized access to these devices, allowing them to steal files, plant malicious code, or install ransomware, which could lock users out of their data.

The Synology Photos app comes pre-installed on Synology’s BeeStation storage devices and is also popular among users of their DiskStation models. These NAS devices enable users to expand storage via add-on components. Since 2019, Synology and other NAS brands have frequently been targeted by ransomware groups. Recently, DiskStation users have reported specific ransomware attacks. The vulnerability was uncovered by Rick de Jager, a security researcher with Midnight Blue in the Netherlands, during the Pwn2Own hacking event in Ireland. De Jager and his team identified hundreds of thousands of vulnerable Synology NAS devices online, although they warn that the real number of at-risk devices is likely in the millions.

The researchers, alongside the Pwn2Own organizers, alerted Synology about the flaw last week.

Network-attached storage systems are attractive targets for cybercriminals due to the large volumes of data they store. Many users connect their NAS directly to the internet or utilize Synology’s cloud storage for backup. Although security credentials can be required to access the devices, this specific zero-click flaw in the photo app doesn’t require authentication. Attackers can exploit it remotely over the internet, granting them root access to execute malicious code on the device.

The photo app allows users to organize images and provides attackers easy access whether the NAS is connected directly to the internet or via Synology’s QuickConnect, which offers remote access. Once an attacker compromises one cloud-connected Synology NAS, it becomes easier to identify others, thanks to how the system registers and assigns IDs.

The researchers found several cloud-connected Synology NAS devices linked to U.S. and French police departments, as well as numerous law firms in North America and France. Other compromised devices were used by logistics and oil companies in Australia and South Korea, along with maintenance firms in South Korea, Italy, and Canada, serving industries like energy, pharmaceuticals, and chemicals.

“These organizations store a range of critical data, including management documents and sensitive case files,” Wetzels said.

Beyond ransomware, the researchers warn of other threats, such as botnets, which infected devices could join to assist in hiding broader hacking operations. The Chinese Volt Typhoon group, for example, previously used compromised home and office routers to mask espionage activities.

Synology has not responded publicly to requests for comment, but on October 25, the company issued two security advisories marking the vulnerability as “critical.” Synology confirmed the discovery was made during the Pwn2Own contest and released patches for the flaw. However, without automatic updates on NAS devices, it is unclear how many users are aware of or have implemented the patch. Releasing the patch also increases the risk that attackers could reverse-engineer it to exploit the vulnerability.

While finding the vulnerability independently is challenging, “it’s not hard to connect the dots from the patch,” Meijer explained.