On November 1, 2024, details of a critical vulnerability affecting Synology NAS devices, which had been patched a few days earlier, were publicly disclosed. This vulnerability, tracked as CVE-2024-10443 is classified as a zero-click flaw, meaning no user interaction is required for exploitation. The issue originates from the SynologyPhotos application, which comes pre-installed and enabled by default on Synology’s BeeStation storage devices and is also widely used among DiskStation users. The flaw allows remote attackers to achieve remote code execution (RCE).
Arctic Wolf has not observed any active exploitation of this vulnerability in the wild or identified any publicly available proof of concept exploit at this time. In the past, ransomware groups have specifically targeted NAS devices, including those from Synology, as they function as centralized storage for sensitive and valuable data. Threat actors are likely to reverse-engineer the patches and exploit this vulnerability in the near future, given the significant level of access they could gain upon compromising an affected device.
Vulnerability details
CVE-2024-10443 was identified by security researchers during the Pwn2Own hacking contest held in October 2024. During the competition, the researchers discovered that hundreds of thousands of online-connected Synology NAS devices were vulnerable to the attack. They also indicated that millions of additional devices could be at risk and exposed to this vulnerability.
Although Synology NAS devices can be configured in a manner that requires credentials for access, the researchers found that the zero-click vulnerability in the photo application does not require authentication. Additionally, Synology provides a feature called QuickConnect that bypasses Network Address Translation by assigning a unique subdomain in the Synology Cloud that forwards traffic to local Synology devices. While intended for convenience, this feature can expose devices to enumeration by threat actors, and potentially exposes Synology NAS devices to additional vulnerabilities, including CVE-2024-10443.
As a result of these factors, threat actors can identify and ultimately gain root access to affected devices over the internet, potentially allowing for RCE of malicious code.
Recommendation for CVE-2024-10443
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed versions of affected Synology software.
| Product | Affected Version | Fixed Version |
| BeePhotos for BeeStation | Versions prior to 1.1.0-10053 | 1.1.0-10053 or above |
| Versions prior to 1.0.2-10026 | 1.0.2-10026 or above | |
| Synology Photos | Versions prior to 1.7.0-0795 | 1.7.0-0795 or above |
| Versions prior to 1.6.2-0720 | 1.6.2-0720 or above |
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
Workaround
Disable QuickConnect (Photo Application)
While the vendor has not explicitly stated that this will prevent exploitation, consider disabling QuickConnect for the Photo application on Synology Devices if it is not required. Additionally, we recommend reviewing the QuickConnect configuration in general to ensure that no other unnecessary services are publicly exposed.
To enable/disable QuickConnect for specific applications/services
- Go to Control Panel > External Access > QuickConnect > Advanced and click on Advanced Settings.
- Select the applications/services you want to enable or disable QuickConnect for in Permission.
- Click Apply.
References
Stay up to date with the latest security incidents and trends from Arctic Wolf Labs.
Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report.
