Synology Patches Critical Remote Code Execution Flaw in DSM Software Synology has released an urgent security update for its DiskStation Manager (DSM) software to address a critical vulnerability (CVE-2026-32746) that could allow unauthenticated remote attackers to execute arbitrary commands on affected network-attached storage (NAS) devices. The flaw, tracked under advisory Synology-SA-26:03, carries a CVSS score of 9.8, classifying it as a severe risk. The vulnerability stems from a buffer overflow defect (CWE-120) in the telnetd service of the GNU Inetutils package, specifically within the LINEMODE SLC suboption handler. Due to improper memory buffer checks in the `add_slc` function, attackers can exploit this flaw to trigger an out-of-bounds write, enabling remote code execution without authentication. Given that NAS devices often store sensitive business backups and personal data, successful exploitation could lead to ransomware deployment, data theft, or lateral movement within internal networks. The issue affects multiple DSM versions, including 7.3, 7.2.2, and 7.2.1, though patches are available for most. Some specialized systems, such as DSMUC 3.1, remain under active fix development. Synology has provided immediate mitigation steps for unpatched devices, urging administrators to disable the Telnet service via the Control Panel’s Terminal settings. Unaffected platforms include BeeStation OS 1.4, Synology Router Manager (SRM) 1.3, and VS600HD 1.2. The company emphasizes replacing legacy protocols like Telnet with encrypted alternatives such as SSH.

Synology Mail Server recently disclosed a moderate-severity vulnerability tracked as CVE-2025-2848, affecting DSM 7.1 and 7.2 versions. The flaw allowed remote authenticated attackers to adjust non-sensitive settings and disable some non-critical features. While there were no reports of data compromise or critical system disruption, the potential to manipulate system configurations did exist. Synology promptly released security patches to address the vulnerability, urging users to update their servers to protect their systems from potential exploitation. The oversight in access control underscores the importance of ongoing vigilance and immediate response to identified security issues within network-connected storage solutions.

Synology's network-attached storage (NAS) devices, specifically the widely used SynologyPhotos application on BeeStation and DiskStation systems, suffer from a critical zero-click vulnerability. If exploited, attackers could gain unauthorized root access to the devices, enabling them to steal personal and corporate files, plant backdoors, or deploy ransomware, severely impeding user access to stored data. The flaw was discovered during the Pwn2Own contest and exposes potentially millions of internet-connected Synology NAS devices to significant risk. Although the issue has been reported to Synology, the widespread use of their storage solutions and the severity of the potential data breaches present a concerning scenario for both individual and corporate users.

Synology Patches Critical Vulnerabilities in SSL VPN Client Synology has released a security update addressing two significant vulnerabilities in its SSL VPN Client, a tool widely used to establish encrypted connections to internal networks. Tracked under advisory Synology-SA-26:05, these flaws could enable remote attackers to access sensitive system files and intercept secure traffic, potentially bypassing perimeter defenses. The first vulnerability, CVE-2021-47960 (CVSS 6.5), stems from improper access controls on files and directories within the VPN client’s installation path. Attackers could exploit this by tricking users into visiting a malicious webpage, leveraging a local HTTP server to extract sensitive data, including application configurations, security certificates, and connection logs. The second flaw, CVE-2021-47961 (CVSS 8.1), is more severe, involving the insecure plaintext storage of user passwords. Exploiting this weakness also requiring user interaction via a malicious link could allow attackers to access or manipulate a user’s PIN, compromise VPN configurations, and intercept network traffic. Both vulnerabilities rely on social engineering tactics, such as phishing, to execute. While they cannot be exploited without victim involvement, successful attacks could undermine the security of VPN-encrypted tunnels, exposing corporate and personal data. Security researcher Laurent Sibilla discovered and reported the issues. Synology has resolved them in SSL VPN Client version 1.4.5-0684 or later, with no available workarounds making immediate patching the only effective defense. Administrators are advised to verify endpoint updates, particularly for remote workers, to mitigate risks to network infrastructure.

Synology warned users to strengthen the passwords to their network attached storage (NAS) after several devices capable of storing terabytes of data were encrypted by ransomware. The attackers demanded 0.06 Bitcoin, then worth around $350, to regain access to files. After an intensive investigation into this matter, the company found that the attacker used botnet addresses to hide the real source IP. The firm recommended customers use Synology's network and account management settings to prevent the internet-based attacks.