cbcvebase.
CVE-2017-9554
published 2017-07-24

CVE-2017-9554: An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid…

PriorityP182medium5.3CVSS 3.0
AVNACLPRNUINSUCLINAN
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
75.02%
99.4th percentile
An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allows remote attackers to enumerate valid usernames via unspecified vectors.

Affected

1 ranges
VendorProductVersion rangeFixed in
synologydiskstation_manager<= 6.1.1-15101-4

Detection & IOCsextracted from sources · hover to see the quote

path/webman/forget_passwd.cgi
port5001
filenameforget_passwd.cgi
  • Detect repeated GET requests to /webman/forget_passwd.cgi with varying 'user=' parameter values — this is the enumeration attack vector for CVE-2017-9554.
  • The Synology NAS responds differently depending on whether a username exists or not — differential response analysis on forget_passwd.cgi requests can confirm exploitation attempts.
  • These enumeration requests count as login attempts; monitor for rapid sequential requests to forget_passwd.cgi which may trigger the lockout threshold (default: 10 logins in 5 minutes = permanent block).
  • Known target usernames probed during exploitation include: admin, administrator, root, nobody, ftp — monitor for enumeration of these accounts via forget_passwd.cgi.
  • ·Affected versions span multiple DSM branches — ensure detection/patching covers all three vulnerable release lines.

CVSS provenance

nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.