A group of Dutch researchers has discovered that popular devices and applications used by millions of individuals and businesses worldwide for storing documents are vulnerable to zero-click vulnerabilities. This vulnerability, known as a zero-click vulnerability, does not require any user interaction to be exploited. It affects the photo application that comes pre-installed on popular Network Attached Storage (NAS) devices manufactured by a company in Taiwan, China.

The vulnerability allows attackers to access the device to steal personal and company files, implant backdoors, or use ransomware to infect the system, thereby preventing users from accessing their data. The application package is pre-installed and enabled by default in the storage device series, but it is also a popular application among users of the storage system, which allows users to expand storage capacity using removable components.

In recent years, several ransomware groups have targeted network-attached storage devices produced by and other companies, with incidents dating back to at least . Earlier this year, users of 's system specifically reported being hit by ransomware attacks.

Dutch security researcher spent two hours discovering the vulnerability at the hacking competition in Ireland. He, along with colleagues , , and , scanned connected devices and found tens of thousands of vulnerable connected devices. However, the researchers stated that millions of other devices could also be at risk. They reported the vulnerability to the organizers last week.

Network Attached Storage (NAS) systems are considered high-value targets for ransomware operators due to the large amounts of data they store. Many users connect them directly to the internet from their own networks or use cloud storage to back up data online to these systems. Researchers told Wired that while the systems can be set up with gateways that require credentials to access, the part of the photo application containing the zero-click vulnerability does not require authentication, allowing attackers to exploit it directly over the internet without bypassing the gateway. This vulnerability grants them access to install and execute any malicious code on the device.

Researchers also stated that this photo app can help users organize their photos, whether customers connect their devices directly to the internet or access it through a service that allows remote access from anywhere. Once an attacker finds a connected to the cloud, they can easily find others, due to the way the system registers and assigns .

There are many devices connected to private clouds through the service, which can also be exploited. So even if you don't expose them directly to the internet, you can still exploit these devices through this service, with the number of these devices reaching millions. Researchers were able to identify cloud connections owned by police departments in the United States and France, as well as a large number of law firms in the United States, Canada, and France, and freight and tank operators in Australia and South Korea. They even discovered cloud connections owned by power grids in South Korea, Italy, and Canada, as well as pharmaceutical and chemical industry maintenance contractors. These companies store corporate data... manage documents, engineering files, and for law firms, possibly case files.

Researchers say that ransomware and data theft are not the only issues with these devices—attackers can also turn infected systems into botnets to serve and hide other hacking activities, such as hackers using infected home and office routers to build massive botnets to cover their espionage operations.

The company's website released two security advisories related to the issue on [date], describing the vulnerability as "critical." The advisories confirmed that the vulnerability was discovered during a competition and indicated that the company had released a patch for it. However, [company's] [device] does not have an automatic update feature, and it is currently unclear how many customers are aware of and have applied the patch. With the release of the patch, attackers can now more easily identify the vulnerability from the patch and design attacks targeting the devices. While it is not easy to discover a vulnerability alone, it becomes quite straightforward to identify and connect the dots once the patch is truly released and you reverse-engineer it.