Critical Synology Vulnerability Let Attackers Remote Execute Arbitrary Code
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A severe vulnerability in Synology\u2019s DiskStation Manager (DSM) allows remote attackers to execute arbitrary code with no user interaction.\u00a0<\/p>\n
The flaw, disclosed during PWN2OWN 2024, received a Critical severity rating with a CVSS score<\/a> of 9.8, indicating its potential for widespread exploitation.<\/p>\n The primary vulnerability, identified as CVE-2024-10441, stems from improper encoding or escaping of output in the system plugin daemon.\u00a0<\/p>\n This critical flaw affects multiple Synology products, including DSM versions prior to specified patched releases, BeeStation Manager (BSM), and Synology Unified Controller (DSMUC).<\/p>\n This vulnerability represents one of the most serious security issues discovered in Synology products this year. With a CVSS score of 9.8 and requiring no user authentication<\/a>, attackers could potentially take complete control of vulnerable systems.<\/p>\n The technical vector is characterized as CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H, indicating network accessibility, low attack complexity, no privileges required, no user interaction needed, and potential for high confidentiality, integrity, and availability impact.<\/p>\n CVE-2024-50629: A vulnerability in the web API component with a CVSS score of 5.3 that allows attackers to read limited files via unspecified vectors.<\/p>\n CVE-2024-10445: An improper certificate validation vulnerability in the update functionality with a CVSS score of 4.3 that enables adjacent attackers to write limited files.<\/p>\n The vulnerabilities were discovered by prominent security researchers including Pumpkin Chang (@u1f383) and Orange Tsai (@orange_8361) from DEVCORE Research Team, along with Ryan Emmons (@the_emmons) and Team Smoking Barrels.<\/p>\n Synology has released patches for all affected products. Users are strongly advised to update to the following versions:<\/p>\n Notably, no mitigations are available other than applying the updates, underscoring the importance of immediate patching.<\/p>\n \u201cThe fact that such critical flaws existed in widely deployed storage systems should remind organizations to keep security at the forefront of their product development.\u201d<\/p>\n Given the severity and remote exploitability of CVE-2024-10441, organizations, and individuals using Synology NAS devices should treat this update as an emergency patch.\u00a0<\/p>\n Exposed, unpatched systems could be compromised through automated scanning and exploitation attempts.<\/p>\n Synology initially released<\/a> this security advisory on November 5, 2024, with subsequent updates releasing patches for various product lines. <\/p>\n The most recent update on March 19, 2025, disclosed complete vulnerability details after providing users adequate time to update their systems.<\/p>\n The post Critical Synology Vulnerability Let Attackers Remote Execute Arbitrary Code<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nCritical Synology Vulnerability<\/strong><\/h2>\n
\n\n
\n Risk Factors<\/strong><\/td>\n Details<\/strong><\/td>\n<\/tr>\n \n Affected Products<\/td>\n -Synology BeeStation Manager (BSM) before 1.1-65374- Synology DiskStation Manager (DSM) before 6.2.4-25556-8- DSM before 7.1.1-42962-7- DSM before 7.2-64570-4- DSM before 7.2.1-69057-6- DSM before 7.2.2-72806-1- Synology Unified Controller (DSMUC) before 3.1.4-23079<\/td>\n<\/tr>\n \n Impact<\/td>\n Execute arbitrary code\u00a0<\/td>\n<\/tr>\n \n Exploit Prerequisites<\/td>\n Network access to target<\/td>\n<\/tr>\n \n CVSS 3.1 Score<\/td>\n 9.8 Critical<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n Medium-Severity Issues<\/strong><\/h2>\n
Affected Products and Remediation<\/strong><\/h2>\n
\n
Investigate Real-World Malicious Links & Phishing Attacks With\u00a0Threat Intelligence Lookup<\/strong>\u00a0-\u00a0Try for Free<\/a><\/code><\/strong><\/code><\/strong><\/p>\n