Synology: Three Security Advisories on Resolved Vulnerabilities

Synology’s DiskStation Manager powers millions of network‑attached storage devices worldwide, making it a frequent target for attackers seeking footholds in corporate environments. The recent advisories—SA‑26:07 and SA‑26:06—cover a spectrum of CVEs that grant remote authenticated users the ability to read or overwrite files, launch denial‑of‑service attacks, and, in one case, perform man‑in‑the‑middle manipulation. With CVSS scores ranging from 4.3 to 8.0, the vulnerabilities span moderate to important severity, highlighting how even seemingly minor flaws can cascade into significant exposure when left unpatched.

The SSL VPN Client, a companion utility that extends secure remote access, was also found vulnerable. CVE‑2021‑47960 allowed attackers to harvest files from the client’s installation directory via a loopback‑bound HTTP service, while CVE‑2021‑47961 exposed the client’s PIN code through insecure storage. Both issues could enable credential theft and traffic interception, raising the stakes for organizations that rely on VPNs for remote work. The patches, released as version 1.4.5‑0684, close these attack vectors without requiring workarounds, emphasizing the vendor’s commitment to rapid remediation.

For IT leaders, the takeaway is clear: maintain an aggressive patch management cadence for all Synology assets. Given the lack of mitigation options and the potential for data leakage or service disruption, delayed updates translate directly into heightened risk. Moreover, the breadth of affected DSM versions—spanning 7.1 to 7.3—means that legacy deployments cannot be ignored. Integrating automated firmware scanning tools and establishing a baseline of regular vulnerability assessments will help organizations stay ahead of similar threats in an increasingly hostile cyber landscape.