Cyber Security News

Critical Synology Vulnerability Allows Remote Attackers to Execute Arbitrary Code

A critical vulnerability affecting Synology’s DiskStation Manager (DSM) has been disclosed, allowing remote attackers to execute arbitrary code on vulnerable systems.

This severe issue, identified as CVE-2024-10441, has been reported in multiple DSM versions, including DSM 6.2, 7.1, 7.2, and 7.2.1, as well as Synology Unified Controller (DSMUC) version 3.1.

The vulnerability is classified as “critical” with a CVSS score of 9.8, indicating a severe impact on system security.

Affected Products and Fixes

The following table provides details on the affected Synology products and the necessary updates to mitigate the critical vulnerability reported as CVE-2024-10441, along with other associated vulnerabilities.

ProductSeverityFixed Release Availability
DSM 7.2.2CriticalUpgrade to 7.2.2-72806-1 or above
DSM 7.2.1CriticalUpgrade to 7.2.1-69057-6 or above
DSM 7.2CriticalUpgrade to 7.2-64570-4 or above
DSM 7.1CriticalUpgrade to 7.1.1-42962-7 or above
DSM 6.2CriticalUpgrade to 6.2.4-25556-8 or above
DSMUC 3.1CriticalUpgrade to 3.1.4-23079 or above

In addition to the critical code execution vulnerability, researchers also discovered two moderate-severity vulnerabilities:

  • CVE-2024-50629: This vulnerability allows remote attackers to read specific files due to improper encoding in the webapi component.
  • CVE-2024-10445: This issue involves improper certificate validation, allowing an adjacent man-in-the-middle attacker to write limited files.

The vulnerabilities were identified by a team including Pumpkin Chang and Orange Tsai from DEVCORE Research Team, Ryan Emmons, and Team Smoking Barrels.

The recent disclosure of critical vulnerabilities in Synology’s DiskStation Manager (DSM) underscores the importance of maintaining up-to-date security patches.

The ability for remote attackers to execute arbitrary code, as reported in CVE-2024-10441, poses a significant risk to system integrity and data security.

Additionally, the moderate vulnerabilities highlighted by CVE-2024-50629 and CVE-2024-10445 further emphasize the need for immediate action to protect against unauthorized file access and manipulation.

To mitigate these risks, users are strongly advised to upgrade their DSM versions to the latest available patches.

This proactive measure will significantly reduce the vulnerability of their systems to potential attacks.

As cybersecurity threats continue to evolve, staying informed about software updates and applying them on time is crucial for maintaining robust system security.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

4 hours ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

4 hours ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

5 hours ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

5 hours ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

8 hours ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

9 hours ago