CybersecurityEnterprise

DEF CON 33 - DisguiseDelimit: Exploiting Synology NAS with Delimiters and Novel Tricks - Ryan Emmon

DEF CON
DEF CONFeb 18, 2026

Why It Matters

A remote, unauthenticated exploit on millions of Synology NAS devices could give attackers footholds inside corporate networks, making timely patching and hardening of DSM critical.

Key Takeaways

  • Unauthenticated login flaw discovered in Synology DSM web service
  • Exploit leverages temporary files and environment variable injection
  • Custom client‑side RSA/AES encryption complicates direct payload injection
  • Vue dev tools can bypass encryption by modifying front‑end code
  • Research earned $40,000 prize at Pwn2Own, highlighting high impact

Summary

Ryan Emmens presented at DEF CON 33 a case study on discovering and weaponising an unauthenticated vulnerability in Synology’s DiskStation Manager (DSM) operating system, culminating in a $40,000 Pwn2Own win.

By instrumenting the login flow with eBPF tracing and inotify, he uncovered a chain of three CGI‑based processes that write attacker‑controlled data to transient files and inject it as environment variables for a privileged root process. This allowed remote code execution without prior authentication or man‑in‑the‑middle positioning.

The research also highlighted Synology’s custom client‑side RSA/AES encryption that obscures login credentials, and demonstrated how Vue.js developer extensions can force the web UI into a debuggable state, bypassing the encryption hurdle and enabling payload injection.

With roughly one million public‑facing NAS units, the flaw presents a massive attack surface; organizations must update DSM, disable unnecessary web services, and monitor for anomalous process activity to mitigate the risk of lateral compromise.

Original Description

Network Attached Storage (NAS) devices are indispensable in many corporate and home environments. These devices often live on the network edge, providing convenient remote access to confidential files and internal networks from the public internet. What happens when this goes terribly wrong?
In this presentation, I’ll discuss how I developed a zero-day exploit targeting dozens of Synology NAS products. At the time of discovery, the exploit facilitated unauthenticated root-level remote code execution on millions of NAS devices in the default configuration. My exploitation strategy centered around smuggling different types of delimiters that targeted multiple software components.
In the past, exploitation of the vulnerability’s bug class demanded additional primitives that weren’t available on my targets. While searching for alternative paths, I discovered a novel remote Linux exploitation technique. I’ll be presenting this technique, which can be used in other researchers’ exploit chains in the future. For the first time in public, I’ll also be discussing the details of my Synology vulnerability research, which won a $40,000 prize at the October 2024 Pwn2Own competition.

Comments

Want to join the conversation?

Loading comments...