Cyber Security News

Synology Network File System Vulnerability Allows Unauthorized File Access

A critical security vulnerability in Synology’s Network File System (NFS) service, tracked as CVE-2025-1021, has been resolved after allowing unauthorized remote attackers to access sensitive files on vulnerable DiskStation Manager (DSM) devices.

The flaw, marked as “Important” in severity by Synology, affects several versions of DSM, the operating system powering the company’s popular Network Attached Storage (NAS) solutions.

Vulnerability Details

The issue centers around a missing authorization check in the synocopy component of DSM.

According to Synology’s security advisory Synology-SA-25:03, the vulnerability permits unauthenticated attackers to read arbitrary files via a writable NFS service, potentially exposing confidential information.

The Common Vulnerability Scoring System (CVSS v3.1) rates this risk at 7.5 out of 10, underlining its seriousness.

Crucially, the attack does not require any user interaction or authentication, enabling exploitation by remote threat actors.

Successful attacks could lead to severe data leakage, including personal files, business documents, and other sensitive data stored on NAS devices.

AspectDetails
Vulnerability IDCVE-2025-1021
ProductSynology DiskStation Manager (DSM)
Componentsynocopy (NFS Service)
SeverityImportant
CVSS v3.1 Score7.5

Affected Products and Fixes

The vulnerability is present in the following DSM versions:

  • DSM 7.2.2 — Fixed in 7.2.2-72806-3 and later
  • DSM 7.2.1 — Fixed in 7.2.1-69057-7 and later
  • DSM 7.1 — Fixed in 7.1.1-42962-8 and later

Synology recommends that all users immediately upgrade to the latest patched versions. No mitigation strategy is available other than applying the update.

This issue was responsibly disclosed by the DEVCORE Research Team (https://devco.re/), who identified the flaw and reported it to Synology.

The advisory was first released on February 26, 2025, with full vulnerability details disclosed on April 23, 2025, after patches were made available.

Owners of Synology NAS devices running affected versions of DSM are strongly urged to upgrade as soon as possible to avoid unauthorized access to their stored files.

Organizations using exposed NFS services should be particularly vigilant, as exploitation does not require any special access credentials.

This vulnerability highlights the importance of regular updates and monitoring of NAS environments, especially those accessible over network file systems.

Synology’s swift response and the coordinated disclosure with security researchers have helped to minimize the potential impact, but the incident serves as a reminder that NAS security is critical in protecting sensitive data in homes and businesses alike.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago