Synology Fixes Critical Vulnerabilities in Synology Photos and BeePhotos After Pwn2Own Exposure

Synology has released security updates to address critical vulnerabilities in Synology Photos and BeePhotos, its photo management applications for network-attached storage (NAS), and personal cloud storage devices, respectively.

The vulnerabilities, collectively identified as ZDI-CAN-25623, were successfully exploited at the Pwn2Own 2024 hacking competition, demonstrating the potential for remote code execution on affected devices. This exploit, developed by security researchers Pumpkin Chang and Orange Tsai from the DEVCORE Research Team, leveraged a chain of vulnerabilities, including a CRLF injection, an authentication bypass, and a SQL injection, to gain complete control of a Synology BeeStation device.

In response to this discovery, Synology has issued two security advisories detailing the vulnerabilities and urging users to update their software immediately. Updates are available for both Synology Photos and BeePhotos, addressing the identified vulnerabilities and mitigating the risk of remote compromise.

Vulnerability Impact and Remediation

The successful exploitation of these vulnerabilities could have severe consequences for users, including:

• Data breaches: Attackers could gain unauthorized access to sensitive data stored on the devices.
• Service disruption: Compromised devices could be used to disrupt or deny access to critical services.
• Malware propagation: Attackers could leverage compromised devices to spread malware to other systems on the network.

To address these risks, Synology has released the following updates:

Synology strongly recommends that all users apply these updates as soon as possible to ensure the security of their data and systems.

Related Posts: