← Back to blog

Critical Unpatched Flaws Found in Widespread Embedded Filesystem

Seven vulnerabilities discovered in FatFs, a filesystem used in millions of embedded devices. These flaws could allow attackers to compromise firmware in security cameras, drones, and more.

TL;DR

  • Security researchers found 7 unpatched flaws in FatFs, a widely-used embedded filesystem.
  • FatFs is embedded in firmware for security cameras, drones, industrial controllers, and crypto wallets.
  • Exploitation could lead to full device compromise via USB or SD card interactions.
  • No official patches are available yet from the maintainers.
  • Organizations should inventory devices using FatFs and prepare for future mitigations.

A recently disclosed set of vulnerabilities in the FatFs filesystem library poses a significant risk to millions of embedded devices. FatFs enables devices to interact with common storage formats like FAT and exFAT, which are widely used on USB drives and SD cards. Because the library is bundled into firmware across numerous industries, the impact of these flaws could be far-reaching.

The vulnerabilities were uncovered by security firm runZero and affect the core functionality of devices that rely on removable storage. From security cameras to hardware crypto wallets, many systems could be vulnerable to attacks exploiting these issues. With no patches currently available, organizations must assess their exposure and monitor for updates or mitigations.

Affected Systems and Risk

  • FatFs is integrated into firmware for security cameras, drones, industrial control systems, and hardware cryptocurrency wallets.
  • Attackers may exploit the flaws through malicious USB or SD card interactions.
  • Successful exploitation could result in arbitrary code execution or full device takeover.
  • Many affected devices lack straightforward update mechanisms, complicating remediation.

Current Status and Recommendations

  • No patches have been released by the FatFs maintainers as of the disclosure.
  • Device manufacturers are being notified to evaluate their exposure.
  • Organizations should audit their embedded systems for use of FatFs.
  • Defensive measures may include disabling unnecessary USB/SD interfaces where possible.
  • Security teams should monitor vendor advisories for patched versions or workarounds.

Sources

Sources

Security email updates

One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.

Critical Unpatched Flaws Found in Widespread Embedded Filesystem — Agent Breach Blog | Agent Breach