Connect with us

Hi, what are you looking for?



Western Digital, Synology NAS Vulnerabilities Exposed Millions of Users’ Files

Critical vulnerabilities discovered in WD and Synology NAS devices could have exposed the files of millions of users.

Critical vulnerabilities discovered by IoT and industrial cybersecurity firm Claroty in Western Digital (WD) and Synology network-attached storage (NAS) products could have exposed the files of millions of users.

The vulnerabilities and their exploitation was demonstrated at the Zero Day Initiative’s Pwn2Own Toronto hacker contest in December 2022, where participants earned a total of nearly $1 million for hacking smartphones, printers, routers, NAS devices, and smart speakers.

Both vendors have pushed out patches (in some cases automatically) and published advisories to inform customers about the vulnerabilities. Synology released one advisory and WD published three advisories, in December, January and May.

In the case of WD, Claroty researchers found a way to enumerate all cloud-connected NAS devices, impersonate them, and gain access to each system through the vendor’s MyCloud service. An attacker could have exploited the vulnerabilities to remotely access user files, execute arbitrary code, and take full control of cloud-connected devices. 

“First, we enumerate all of the devices GUID, and choose our target list. We then impersonate the device, stealing its cloud tunnel and disconnecting the device. Any requests performed to the device will now reach us, giving us the authentication tokens for the device admin,” Claroty explained. 

It added, “Using our newly gained permissions, we created a new share on the device, mapping it to the /tmp directory. We then write our reverse shell payload to that directory, and invoke a reboot through the cloud. Whenever the device will reboot, our payload will be executed, resulting in us executing code on the device.”

The cybersecurity firm also found vulnerabilities that allowed it to impersonate Synology NAS devices and force the QuickConnect cloud service to redirect users to a device controlled by the attacker. 

Advertisement. Scroll to continue reading.

An attacker could have leveraged the flaws to steal credentials, access user data, and remotely execute arbitrary code, giving them control over the device and the ability to launch further attacks. 

Claroty’s analysis showed that millions of WD and Synology NAS devices were vulnerable to attacks. 

Both the WD and Synology exploits were possible due to “weak device authentication based on publicly known information rather than secrets”, and Claroty believes similar issues likely impact devices from other vendors as well.

The company has published separate blog posts describing the WD and Synology vulnerabilities. 

Related: CISA Says Critical Zyxel NAS Vulnerability Exploited in Attacks

Related: 30k Internet-Exposed QNAP NAS Devices Affected by Recent Vulnerability

Related: QNAP Warns of New ‘Deadbolt’ Ransomware Attacks Targeting NAS Users

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.