cbcvebase.
CVE-2013-6955
published 2014-01-09

CVE-2013-6955: webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote…

PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
84.57%
99.7th percentile
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.

Affected

4 ranges
VendorProductVersion rangeFixed in
synologydiskstation_manager
synologydiskstation_manager
synologydiskstation_manager
synologydiskstation_manager

Detection & IOCsextracted from sources · hover to see the quote

path/webman/imageSelector.cgi
path/usr/syno/synoman/redirect.cgi
path/redirect.cgi
port5000
otherX-TYPE-NAME: SLICEUPLOAD
otherX-TMP-FILE (HTTP header)
  • Detect unauthenticated POST requests to /webman/imageSelector.cgi containing the custom HTTP headers X-TYPE-NAME: SLICEUPLOAD and X-TMP-FILE with a file path — this is the exploit trigger.
  • Alert on any HTTP response from /webman/imageSelector.cgi containing 'error_noprivilege' in the body following a SLICEUPLOAD POST — the exploit module treats this as a success indicator.
  • Monitor for a subsequent GET request to /redirect.cgi immediately after a POST to /webman/imageSelector.cgi — this two-stage pattern (write then invoke) is the exploitation sequence.
  • Check GET requests to /webman/info.cgi?host= (empty host parameter) on port 5000 — this is the pre-exploitation version fingerprinting step used by the Metasploit module.
  • The exploit targets DSM on TCP port 5000 by default; monitor for the above suspicious request patterns specifically on that port.
  • ·The 4.1 branch of Synology DSM is confirmed vulnerable but has no official patch — fixed versions only cover 4.0-2259, 4.2-3243, and 4.3-3810 Update 1.
  • ·The vulnerability is exploitable by completely unauthenticated remote attackers — no credentials are required to trigger the SLICEUPLOAD file-append primitive.
  • ·Successful exploitation results in arbitrary command execution under root privileges, not just file write.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.