Synology Diskstation Manager vulnerabilities

96 known vulnerabilities affecting synology/diskstation_manager.

Total CVEs

CISA KEV

actively exploited

Public exploits

Exploited in wild

Severity breakdown

CRITICAL18HIGH47MEDIUM29LOW2

Vulnerabilities

Page 1 of 5

CVE-2024-45538CRITICALCVSS 9.6≥ 7.2.1-69057, < 7.2.1-69057-2≥ 7.2.2-72803, < 7.2.2-728062025-12-04

CVE-2024-45538 [CRITICAL] CWE-352 CVE-2024-45538: Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors.

nvd

CVE-2024-5401HIGHCVSS 8.8≥ 7.2.1-69057, < 7.2.1-69057-2≥ 7.2.2-72803, < 7.2.2-728062025-12-04

CVE-2024-5401 [MEDIUM] CWE-913 CVE-2024-5401: Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology Improper control of dynamically-managed code resources vulnerability in WebAPI component in Synology DiskStation Manager (DSM) before 7.1.1-42962-8 and 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote authenticated users to obtain privileges without consent via unspecified vectors.

nvd

CVE-2024-45539HIGHCVSS 7.5≥ 7.2.1-69057, < 7.2.1-69057-2≥ 7.2.2-72803, < 7.2.2-728062025-12-04

CVE-2024-45539 [HIGH] CWE-787 CVE-2024-45539: Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2 Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors.

nvd

CVE-2025-1021HIGHCVSS 7.5≥ 7.1, < 7.1.1-42962-8≥ 7.2.1-69057, < 7.2.1-69057-7+1 more2025-04-23

CVE-2025-1021 [HIGH] CWE-862 CVE-2025-1021: Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-4 Missing authorization vulnerability in synocopy in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows remote attackers to read arbitrary files via unspecified vectors.

nvd

CVE-2024-10441CRITICALCVSS 9.8≥ 7.2, < 7.2-64570-4≥ 7.2.1-69057, < 7.2.1-69057-6+1 more2025-03-19

CVE-2024-10441 [CRITICAL] CWE-116 CVE-2024-10441: Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeSta Improper encoding or escaping of output vulnerability in the system plugin daemon in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allows remote attackers to execute arbitrary code via unspecified vectors.

nvd

CVE-2024-10444HIGHCVSS 7.5≥ 7.1, < 7.1.1-42962-8≥ 7.2.1-69057, < 7.2.1-69057-7+1 more2025-03-19

CVE-2024-10444 [HIGH] CWE-295 CVE-2024-10444: Improper certificate validation vulnerability in the LDAP utilities in Synology DiskStation Manager Improper certificate validation vulnerability in the LDAP utilities in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows man-in-the-middle attackers to hijack the authentication of administrators via unspecified vectors.

nvd

CVE-2024-50629MEDIUMCVSS 5.3≥ 7.1, < 7.1.1-42962-7≥ 7.2, < 7.2-64570-4+2 more2025-03-19

CVE-2024-50629 [MEDIUM] CWE-116 CVE-2024-50629: Improper encoding or escaping of output vulnerability in the webapi component in Synology BeeStation Improper encoding or escaping of output vulnerability in the webapi component in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allow remote attackers to read limited files via unspecified vectors.

nvd

CVE-2024-10445MEDIUMCVSS 5.3≥ 6.2, < 6.2.4-25556-8≥ 7.2, < 7.2-64570-4+2 more2025-03-19

CVE-2024-10445 [MEDIUM] CWE-295 CVE-2024-10445: Improper certificate validation vulnerability in the update functionality in Synology BeeStation OS Improper certificate validation vulnerability in the update functionality in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allow remote attackers to write limited files via unspecified vectors.

nvd

CVE-2024-0854MEDIUMCVSS 5.4fixed in 7.2.1-69057-22024-01-24

CVE-2024-0854 [MEDIUM] CWE-601 CVE-2024-0854: URL redirection to untrusted site ('Open Redirect') vulnerability in file access component in Synolo URL redirection to untrusted site ('Open Redirect') vulnerability in file access component in Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.0.1-42218-7, 7.1.1-42962-7 and 7.2.1-69057-2 allows remote authenticated users to conduct phishing attacks via unspecified vectors.

nvd

CVE-2023-0142HIGHCVSS 8.1≥ 6.2, < 7.1-426612023-06-13

CVE-2023-0142 [MEDIUM] CWE-427 CVE-2023-0142: Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskSt Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.0.1-42218-7 and 7.1-42661 allows remote authenticated users with administrator privileges to read or write arbitrary files via unspecified vectors.

nvd

CVE-2023-2729HIGHCVSS 7.5≥ 6.2, < 7.2-645612023-06-13

CVE-2023-2729 [MEDIUM] CVE-2023-2729: Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskS Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskStation Manager (DSM) before 7.2-64561 allows remote attackers to obtain user credential via unspecified vectors.

nvd

CVE-2022-27623CRITICALCVSS 9.1fixed in 7.1-426612022-10-25

CVE-2022-27623 [HIGH] CWE-306 CVE-2022-27623: Missing authentication for critical function vulnerability in iSCSI management functionality in Syno Missing authentication for critical function vulnerability in iSCSI management functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote attackers to read or write arbitrary files via unspecified vectors.

nvd

CVE-2022-27622MEDIUMCVSS 4.3fixed in 7.1-426612022-10-25

CVE-2022-27622 [MEDIUM] CWE-918 CVE-2022-27622: Server-Side Request Forgery (SSRF) vulnerability in Package Center functionality in Synology DiskSta Server-Side Request Forgery (SSRF) vulnerability in Package Center functionality in Synology DiskStation Manager (DSM) before 7.1-42661 allows remote authenticated users to access intranet resources via unspecified vectors.

nvd

CVE-2022-27624CRITICALCVSS 9.8fixed in 7.1.1-42962-22022-10-20

CVE-2022-27624 [CRITICAL] CWE-119 CVE-2022-27624: A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the packet decryption functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-429

nvd

CVE-2022-27625CRITICALCVSS 9.8fixed in 7.1.1-42962-22022-10-20

CVE-2022-27625 [CRITICAL] CWE-119 CVE-2022-27625: A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is A vulnerability regarding improper restriction of operations within the bounds of a memory buffer is found in the message processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42

nvd

CVE-2022-3576HIGHCVSS 7.5fixed in 7.1.1-42962-22022-10-20

CVE-2022-3576 [MEDIUM] CWE-125 CVE-2022-3576: A vulnerability regarding out-of-bounds read is found in the session processing functionality of Out A vulnerability regarding out-of-bounds read is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to obtain sensitive information via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.

nvd

CVE-2022-27626HIGHCVSS 8.1fixed in 7.1.1-42962-22022-10-20

CVE-2022-27626 [CRITICAL] CWE-362 CVE-2022-27626: A vulnerability regarding concurrent execution using shared resource with improper synchronization ( A vulnerability regarding concurrent execution using shared resource with improper synchronization ('Race Condition') is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to execute arbitrary commands via unspecified vectors. The following models with Synology DiskStation Manager (DSM) vers

nvd

CVE-2022-27616HIGHCVSS 7.2≥ 6.2, < 6.2.4-25556-5≥ 7.0, < 7.0.1-42218-32022-08-03

CVE-2022-27616 [HIGH] CWE-78 CVE-2022-27616: Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabi Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 7.0.1-42218-3 allows remote authenticated users to execute arbitrary commands via unspecified vectors.

nvd

CVE-2022-22684HIGHCVSS 8.8fixed in 6.2.4-255532022-07-28

CVE-2022-22684 [HIGH] CWE-78 CVE-2022-22684: Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabi Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in task management component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows remote authenticated users to execute arbitrary commands via unspecified vectors.

nvd

CVE-2022-27610HIGHCVSS 8.1≥ 6.2, < 6.2.3-254232022-07-27

CVE-2022-27610 [MEDIUM] CWE-22 CVE-2022-27610: Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in weba Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in webapi component in Synology DiskStation Manager (DSM) before 6.2.3-25423 allows remote authenticated users to delete arbitrary files via unspecified vectors.

nvd

1 / 5Next →