Synology Vulnerability - Remote Attackers Can Execute Commands

The Flaw

A critical security advisory has been issued regarding a severe vulnerability in Synology's DiskStation Manager (DSM). This flaw, tracked as CVE-2026-32746, allows unauthenticated remote attackers to execute arbitrary commands on affected systems. The vulnerability has a near-maximum CVSSv3 base score of 9.8, categorizing it as a critical threat. The root cause lies within the telnetd daemon of the GNU Inetutils package, specifically affecting versions up to 2.7. This issue is classified as a classic buffer overflow (CWE-120).

During an active network session, the LINEMODE SLC (Set Local Characters) suboption handler improperly processes inputs. This happens because the add_slc function fails to check if the buffer is full. As a result, this oversight leads to a dangerous out-of-bounds write, allowing attackers to bypass authentication and execute malicious commands directly on the host system.

In addition, Synology has revealed two severe vulnerabilities in its SSL VPN Client that could let remote attackers steal sensitive files and intercept network traffic. These vulnerabilities, tracked as CVE-2021-47960 (CVSS Score 6.5) and CVE-2021-47961 (CVSS Score 8.1), affect users running older versions of the software and require immediate patching. The first flaw allows remote attackers to read sensitive files directly from the SSL VPN Client installation directory, while the second flaw involves the insecure storage of passwords, allowing attackers to manipulate user credentials.

What's at Risk

NAS devices like Synology's are prime targets for cybercriminals, especially ransomware operators and data extortion groups. These systems often store sensitive corporate data and critical backups. An unauthenticated compromise could enable attackers to deploy ransomware, exfiltrate confidential files, or establish persistent backdoors before security teams can react. The potential for widespread damage is significant, making this vulnerability a serious concern for organizations relying on Synology devices for data management.

Furthermore, the SSL VPN Client vulnerabilities pose additional risks as they can provide attackers with a foothold into user sessions and corporate data, especially if users are tricked into interacting with malicious web pages while connected to the VPN.

Patch Status

Synology has confirmed that multiple versions of DSM and DSMUC are critically impacted by this vulnerability. Administrators running DSM 7.3 must upgrade to version 7.3.2-86009-3 or newer. For those using DSM 7.2.2, the upgrade to version 7.2.2-72806-8 or later is necessary. Systems on DSM 7.2.1 need to upgrade to 7.2.1-69057-11 or above. Synology is actively developing a critical security patch for DSMUC 3.1. Meanwhile, other enterprise products, such as BeeStation OS 1.4, SRM 1.3, and VS600HD 1.2, are unaffected by this specific vulnerability. Additionally, users of the SSL VPN Client should upgrade to version 1.4.5-0684 or newer to mitigate the risks associated with the identified vulnerabilities.

Immediate Actions

For administrators managing systems pending a patch, Synology recommends applying immediate temporary mitigations. Since the vulnerability specifically requires access to the Telnet protocol, turning off the Telnet service can neutralize the risk of remote exploitation. To secure devices, navigate to the Control Panel, access Terminal settings, uncheck the “Enable Telnet service” option, and click Apply. Disabling Telnet aligns with modern cybersecurity best practices, as it transmits data in plaintext and is considered outdated. Additionally, users of the SSL VPN Client should educate themselves about the risks of clicking suspicious links or visiting untrusted websites while connected to enterprise VPNs, and monitor VPN access logs for any unauthorized configuration changes or unusual traffic patterns.