CVE-2020-27649 — Improper Certificate Validation in Synology Router Manager

CWE-295 — Improper Certificate Validation3 documents3 sources

Severity

9.0CRITICALNVD

CNA8.3

EPSS

0.2%

top 60.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Synology Router Manager Synology Router Manager

Timeline

PublishedOct 29

Latest updateMay 24

Description

Improper certificate validation vulnerability in OpenVPN client in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:HExploitability: 2.2 | Impact: 6.0

Affected Packages2 packages

▶NVDsynology/router_manager1.2 — 1.2.4-8081

▶CVEListV5synology/synology_router_managerunspecified — 1.2.4-8081

🔴Vulnerability Details

GHSA

GHSA-pxvm-4ffc-chr4: Improper certificate validation vulnerability in OpenVPN client in Synology Router Manager (SRM) before 1↗2022-05-24

▶

CVEList

CVE-2020-27649: Improper certificate validation vulnerability in OpenVPN client in Synology Router Manager (SRM) before 1↗2020-10-29

▶