Cyber Security News

Critical Synology Vulnerability Allows Remote Attackers to Execute Arbitrary Code

A critical vulnerability affecting Synology’s DiskStation Manager (DSM) has been disclosed, allowing remote attackers to execute arbitrary code on vulnerable systems.

This severe issue, identified as CVE-2024-10441, has been reported in multiple DSM versions, including DSM 6.2, 7.1, 7.2, and 7.2.1, as well as Synology Unified Controller (DSMUC) version 3.1.

The vulnerability is classified as “critical” with a CVSS score of 9.8, indicating a severe impact on system security.

Affected Products and Fixes

The following table provides details on the affected Synology products and the necessary updates to mitigate the critical vulnerability reported as CVE-2024-10441, along with other associated vulnerabilities.

ProductSeverityFixed Release Availability
DSM 7.2.2CriticalUpgrade to 7.2.2-72806-1 or above
DSM 7.2.1CriticalUpgrade to 7.2.1-69057-6 or above
DSM 7.2CriticalUpgrade to 7.2-64570-4 or above
DSM 7.1CriticalUpgrade to 7.1.1-42962-7 or above
DSM 6.2CriticalUpgrade to 6.2.4-25556-8 or above
DSMUC 3.1CriticalUpgrade to 3.1.4-23079 or above

In addition to the critical code execution vulnerability, researchers also discovered two moderate-severity vulnerabilities:

  • CVE-2024-50629: This vulnerability allows remote attackers to read specific files due to improper encoding in the webapi component.
  • CVE-2024-10445: This issue involves improper certificate validation, allowing an adjacent man-in-the-middle attacker to write limited files.

The vulnerabilities were identified by a team including Pumpkin Chang and Orange Tsai from DEVCORE Research Team, Ryan Emmons, and Team Smoking Barrels.

The recent disclosure of critical vulnerabilities in Synology’s DiskStation Manager (DSM) underscores the importance of maintaining up-to-date security patches.

The ability for remote attackers to execute arbitrary code, as reported in CVE-2024-10441, poses a significant risk to system integrity and data security.

Additionally, the moderate vulnerabilities highlighted by CVE-2024-50629 and CVE-2024-10445 further emphasize the need for immediate action to protect against unauthorized file access and manipulation.

To mitigate these risks, users are strongly advised to upgrade their DSM versions to the latest available patches.

This proactive measure will significantly reduce the vulnerability of their systems to potential attacks.

As cybersecurity threats continue to evolve, staying informed about software updates and applying them on time is crucial for maintaining robust system security.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Popular Instagram Blogger’s Account Hacked to Phish Users and Steal Banking Credentials

A high-profile Russian Instagram blogger recently fell victim to a sophisticated cyberattack, where scammers hijacked…

3 minutes ago

Ransomware Attacks on Food & Agriculture Industry Surge 100% – 84 Attacks in Just 3 Months

The food and agriculture industry is facing an unprecedented wave of cybersecurity threats in 2025,…

13 minutes ago

Microsoft 365 Copilot and Office Apps Now Protected by SafeLinks at Click Time

Microsoft announced a major update aimed at bolstering the cybersecurity of its flagship AI-powered productivity…

18 minutes ago

Hackers Targeting Schools and Universities in New Mexico with Cyber Attacks

A major cyberattack on the Coweta County School System's computer network occurred late Friday night, which is a worrying development for New Mexico's educational institutions. The unauthorized intrusion, detected around 7:00 p.m., prompted immediate action from the school…

19 minutes ago

Initial Access Brokers Play a Vital Role in Modern Ransomware Attacks

The ransomware threat landscape has evolved dramatically in recent years, with specialized cybercriminals like Initial…

27 minutes ago

Darcula PhaaS: 884,000 Credit Card Details Stolen from 13 Million Global User Clicks

The Darcula group has orchestrated a massive phishing-as-a-service (PhaaS) operation, dubbed Magic Cat, compromising an…

39 minutes ago