Dutch researchers @midnightbluelab
found a critical zero-click vuln in a photo app enabled by default on Synology storage devices, putting millions of systems at risk of being hacked. They found Synology systems owned by police/law firms/critical infrastructure contractors online and all vulnerable to attack. Synology has called the vuln "critical" and issued a patch last week but apparently didn't notify customers. Synology devices don't have automated update capabilities. Here's my story: https://www.wired.com/story/synology-zero-click-vulnerability/

@kimzetter Also, apparently this emergency update turns off media transcoding and itunes media server!

@kimzetter Kim, did you see https://infosec.exchange/@adamshostack/113414081797045521 ?

@SteveBellovin I missed that. Thanks for the headsup

@kimzetter
"Critical", yet they decided to forgo giving it a CVE.
And the ZDI-CAN-25623 identifier is seemingly made up. (There's no record in it in ZDI's https://www.zerodayinitiative.com/advisories/upcoming/ or https://www.zerodayinitiative.com/advisories/published/ advisory pages )

Is there some competition to see who can do the worst job in coordinating a vulnerability? 🤔

@wdormann @kimzetter Maybe @thezdi can shed some light on that candidate ID?

@buherator @kimzetter @thezdi
And/or @TheDustinChilds

@wdormann @buherator @kimzetter @thezdi ZDI-CAN-25623 is the correct identifier, but we haven't published it yet. We're still catching up on all the paperwork from P2O Ireland. Processing over 70 0-days at once takes a minute. It will receive a CVE once published.

@TheDustinChilds @wdormann @buherator @kimzetter @thezdi https://www.cve.org/CVERecord?id=CVE-2024-10443