Rick De Jager

**Name of the Vulnerable Software and Affected Versions** Synology BeePhotos versions prior to 1.0.2-10026 Synology BeePhotos version 1.1.0-10053 Synology Photos versions prior to 1.6.2-0720 Synology Photos version 1.7.0-0795 Synology BeeStation BST150-4T (affected versions not specified) **Description** A command injection flaw exists in the Task Manager component of Synology BeePhotos and Synology Photos. This issue allows remote attackers to execute arbitrary code without user interaction. Millions of Synology NAS devices are potentially affected. The vulnerability, dubbed RISK:STATION, was demonstrated at Pwn2Own 2024 and is actively exploited. The root cause is improper neutralization of special elements used in OS commands. The vulnerable component is the Task Manager. The vulnerability allows an attacker to gain root-level access to affected devices. **Recommendations** Update Synology BeePhotos to version 1.0.2-10026 or later. Update Synology BeePhotos to version 1.1.0-10053 or later. Update Synology Photos to version 1.6.2-0720 or later. Update Synology Photos to version 1.7.0-0795 or later.