Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-15889 — Command Injection in Synology Diskstation Manager

CWE-77 — Command Injection4 documents4 sources

Severity

8.8HIGHNVD

EPSS

62.4%

top 1.63%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Synology Diskstation Manager

Timeline

PublishedDec 4

Latest updateMay 13

Description

Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authenticated users to execute arbitrary commands via disk field.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶NVDsynology/diskstation_manager< 5.2-5967-5

▶CVEListV5synology/diskstation_managerbefore 5.2-5967-5

🔴Vulnerability Details

GHSA

GHSA-93r2-hrhr-f2pp: Command injection vulnerability in smart↗2022-05-13

▶

CVEList

CVE-2017-15889: Command injection vulnerability in smart↗2017-12-04

▶

💥Exploits & PoCs

Exploit-DB

Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)↗2020-05-25

▶