A vulnerability in legacy Iomega and LenovoEMC network-attached storage (NAS) devices has led to many terabytes of potentially sensitive data being accessible to anyone via the Internet. Iomega Corporation was acquired in 2008 by EMC. In 2013, Iomega became LenovoEMC – a joint venture between Lenovo and EMC Corporation – and Iomega’s products were rebranded under the new name. Iomega’s and LenovoEMC’s storage products were aimed at small and medium-sized businesses. CVE-2019-6160 affects a number of Iomega and LenovoEMC NAS products, which have reached End-of-Service-Life four years ago. The vulnerability stems from an unprotected API call and allows anyone to use Shodan to find vulnerable NAS devices and then simply download the exposed files by sending a specially crafted requests.
Read how the data stored on NAS devices made by Iomega and LenovoEMC are exposed to anyone with the Internet on Helpnet Security.