Critical Synology Vulnerability Allows Remote Attackers to Execute Arbitrary Code

A critical vulnerability affecting Synology’s DiskStation Manager (DSM) has been disclosed, allowing remote attackers to execute arbitrary code on vulnerable systems.

This severe issue, identified as CVE-2024-10441, has been reported in multiple DSM versions, including DSM 6.2, 7.1, 7.2, and 7.2.1, as well as Synology Unified Controller (DSMUC) version 3.1.

The vulnerability is classified as “critical” with a CVSS score of 9.8, indicating a severe impact on system security.

Affected Products and Fixes

The following table provides details on the affected Synology products and the necessary updates to mitigate the critical vulnerability reported as CVE-2024-10441, along with other associated vulnerabilities.

Product	Severity	Fixed Release Availability
DSM 7.2.2	Critical	Upgrade to 7.2.2-72806-1 or above
DSM 7.2.1	Critical	Upgrade to 7.2.1-69057-6 or above
DSM 7.2	Critical	Upgrade to 7.2-64570-4 or above
DSM 7.1	Critical	Upgrade to 7.1.1-42962-7 or above
DSM 6.2	Critical	Upgrade to 6.2.4-25556-8 or above
DSMUC 3.1	Critical	Upgrade to 3.1.4-23079 or above

In addition to the critical code execution vulnerability, researchers also discovered two moderate-severity vulnerabilities:

• CVE-2024-50629: This vulnerability allows remote attackers to read specific files due to improper encoding in the webapi component.
• CVE-2024-10445: This issue involves improper certificate validation, allowing an adjacent man-in-the-middle attacker to write limited files.

The vulnerabilities were identified by a team including Pumpkin Chang and Orange Tsai from DEVCORE Research Team, Ryan Emmons, and Team Smoking Barrels.

The recent disclosure of critical vulnerabilities in Synology’s DiskStation Manager (DSM) underscores the importance of maintaining up-to-date security patches.

The ability for remote attackers to execute arbitrary code, as reported in CVE-2024-10441, poses a significant risk to system integrity and data security.

Additionally, the moderate vulnerabilities highlighted by CVE-2024-50629 and CVE-2024-10445 further emphasize the need for immediate action to protect against unauthorized file access and manipulation.

To mitigate these risks, users are strongly advised to upgrade their DSM versions to the latest available patches.

This proactive measure will significantly reduce the vulnerability of their systems to potential attacks.

As cybersecurity threats continue to evolve, staying informed about software updates and applying them on time is crucial for maintaining robust system security.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free