Researchers at runZero have publicly disclosed seven vulnerabilities in FatFs, a compact open-source library that provides FAT and exFAT filesystem support to embedded devices. Because FatFs ships inside the firmware of an enormous range of hardware, including security cameras, drones, industrial controllers, and hardware cryptocurrency wallets, the findings carry broad implications for the embedded and IoT security community.

What Is FatFs and Why Does It Matter?

FatFs is designed to give resource-constrained microcontrollers the ability to read and write storage media such as USB drives and SD cards using the FAT and exFAT formats common on consumer hardware. Its small footprint and permissive licensing have made it a popular choice for firmware developers across industries, meaning a single vulnerability in the library can propagate across a vast and diverse population of deployed devices.

The Disclosed Vulnerabilities

runZero identified seven distinct flaws in the library. The source material does not yet provide full technical details for each individual vulnerability, but the disclosure indicates the issues reside in the filesystem parsing and handling logic that FatFs uses when processing storage media. Devices that mount untrusted removable storage, such as USB drives or SD cards supplied by an end user, would represent a realistic attack surface for exploitation.

Patch Status and Affected Devices

The vulnerabilities are described as unpatched at the time of disclosure. The breadth of affected hardware is a significant complicating factor: embedded firmware is notoriously difficult to update in the field, and many device manufacturers may not be aware their products incorporate FatFs or the specific version in use. Categories of affected hardware cited in the research include:

  • IP and surveillance cameras
  • Consumer and commercial drones
  • Industrial control systems and programmable logic controllers
  • Hardware cryptocurrency wallets

Recommended Actions

Until patches are available and distributed by the FatFs maintainer and downstream device vendors, security teams and asset owners should consider restricting or monitoring the use of removable storage media on affected device classes. Organizations managing fleets of IoT or operational technology equipment should audit their firmware supply chain to determine whether FatFs is a dependency and track remediation guidance as it becomes available from vendors.

The runZero disclosure continues a pattern of security research surfacing risk in foundational embedded libraries that underpin millions of devices with long operational lifespans and limited patch infrastructure.