Based on reporting by The Hacker News →
Introduction
A new disclosure reveals seven unpatched vulnerabilities in a tiny filesystem library that runs inside everything from security cameras and drones to industrial controllers and crypto wallets. For security teams managing embedded device fleets, this is a supply-chain blind spot that demands immediate attention.
The problem
Security firm runZero disclosed seven vulnerabilities in FatFs, a lightweight embedded filesystem library that enables devices to read and write FAT and exFAT formats commonly used on USB drives and SD cards. As reported by The Hacker News, the flaws affect a library that is "bundled into millions of embedded devices" because manufacturers integrate it into firmware without a centralized update mechanism. The vulnerabilities were responsibly disclosed to the project's maintainer, but no patches have been released at the time of reporting.
Consequences
The real-world impact is broad because FatFs ships inside firmware for devices that handle sensitive operations: security cameras with live feeds, drones with GPS and telemetry, industrial controllers managing physical processes, and hardware cryptocurrency wallets storing private keys. An attacker who exploits these flaws via a maliciously crafted FAT or exFAT volume—delivered through a USB drive or SD card—could achieve arbitrary code execution, memory corruption, or denial of service on the target device. In industrial or financial contexts, that means potential takeover of physical equipment or theft of cryptographic material.