Synology Diskstation Manager vulnerabilities
97 known vulnerabilities affecting synology/diskstation_manager.
Total CVEs
97
CISA KEV
1
actively exploited
Public exploits
11
Exploited in wild
3
Severity breakdown
CRITICAL19HIGH47MEDIUM29LOW2
Vulnerabilities
Page 4 of 5
CVE-2022-22680P3HIGHCVSS 7.5≥ 6.2, < 6.2.4-25556-3≥ 7.0, < 7.0.1-42218-2+1 more2022-02-07
CVE-2022-22680 [HIGH] CWE-200 CVE-2022-22680: Exposure of sensitive information to an unauthorized actor vulnerability in Web Server in Synology D
Exposure of sensitive information to an unauthorized actor vulnerability in Web Server in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote attackers to obtain sensitive information via unspecified vectors.
nvd
CVE-2021-26567P3HIGHCVSS 7.8fixed in 6.2.3-25426-32021-02-26
CVE-2021-26567 [HIGH] CWE-121 CVE-2021-26567: Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local att
Stack-based buffer overflow vulnerability in frontend/main.c in faad2 before 2.2.7.1 allow local attackers to execute arbitrary code via filename and pathname options.
nvd
CVE-2022-3576P3HIGHCVSS 7.5fixed in 7.1.1-42962-2≥ unspecified, < 7.1.1-42962-22022-10-20
CVE-2022-3576 [HIGH] CWE-125 CVE-2022-3576: A vulnerability regarding out-of-bounds read is found in the session processing functionality of Out
A vulnerability regarding out-of-bounds read is found in the session processing functionality of Out-of-Band (OOB) Management. This allows remote attackers to obtain sensitive information via unspecified vectors. The following models with Synology DiskStation Manager (DSM) versions before 7.1.1-42962-2 may be affected: DS3622xs+, FS3410, and HD6500.
nvd
CVE-2024-45539P3HIGHCVSS 7.5≥ 7.2.1-69057, < 7.2.1-69057-2≥ 7.2.2-72803, < 7.2.2-72806+2 more2025-12-04
CVE-2024-45539 [HIGH] CWE-787 CVE-2024-45539: Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2
Out-of-bounds write vulnerability in cgi components in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to conduct denial-of-service attacks via unspecified vectors.
nvd
CVE-2024-10444P3HIGHCVSS 7.5≥ 7.1, < 7.1.1-42962-8≥ 7.2.1-69057, < 7.2.1-69057-7+2 more2025-03-19
CVE-2024-10444 [HIGH] CWE-295 CVE-2024-10444: Improper certificate validation vulnerability in the LDAP utilities in Synology DiskStation Manager
Improper certificate validation vulnerability in the LDAP utilities in Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3 allows man-in-the-middle attackers to hijack the authentication of administrators via unspecified vectors.
nvd
CVE-2020-27648P3CRITICALCVSS 9.0≥ 6.2, < 6.2.3-25426-2≥ unspecified, < 6.2.3-25426-22020-10-29
CVE-2020-27648 [CRITICAL] CWE-295 CVE-2020-27648: Improper certificate validation vulnerability in OpenVPN client in Synology DiskStation Manager (DSM
Improper certificate validation vulnerability in OpenVPN client in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
nvd
CVE-2021-29088P3HIGHCVSS 7.8fixed in 6.2.4-255532021-06-01
CVE-2021-29088 [HIGH] CWE-22 CVE-2021-29088: Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in S
Improper limitation of a pathname to a restricted directory ('Path Traversal') in cgi component in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
nvd
CVE-2017-15894P3MEDIUMCVSS 6.5≥ 5.2, < 5.2-5967-6≥ 6.0, < 6.0.3-8754-32017-12-08
CVE-2017-15894 [MEDIUM] CWE-22 CVE-2017-15894: Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology DiskStation Manager (D
Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology DiskStation Manager (DSM) 6.0.x before 6.0.3-8754-3 and before 5.2-5967-6 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.
nvd
CVE-2019-14907P3MEDIUMCVSS 6.5v6.22020-01-21
CVE-2019-14907 [MEDIUM] CWE-125 CVE-2019-14907: All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue
All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, t
nvd
CVE-2021-26560P3HIGHCVSS 7.4fixed in 6.2.3-25426-32021-02-26
CVE-2021-26560 [HIGH] CWE-319 CVE-2021-26560: Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology Disk
Cleartext transmission of sensitive information vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.3-25426-3 allows man-in-the-middle attackers to spoof servers via an HTTP session.
nvd
CVE-2020-27653P3HIGHCVSS 8.3v6.2.3_254262020-10-29
CVE-2020-27653 [HIGH] CWE-327 CVE-2020-27653: Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
nvd
CVE-2019-19344P3MEDIUMCVSS 6.5v6.22020-01-21
CVE-2019-19344 [MEDIUM] CWE-416 CVE-2019-19344: There is a use-after-free issue in all samba 4.9.x versions before 4.9.18, all samba 4.10.x versions
There is a use-after-free issue in all samba 4.9.x versions before 4.9.18, all samba 4.10.x versions before 4.10.12 and all samba 4.11.x versions before 4.11.5, essentially due to a call to realloc() while other local variables still point at the original buffer.
nvd
CVE-2018-8920P3HIGHCVSS 7.2fixed in 6.1.6-15266≥ unspecified, < 6.1.6-152662018-12-24
CVE-2018-8920 [HIGH] CWE-116 CVE-2018-8920: Improper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM
Improper neutralization of escape vulnerability in Log Exporter in Synology DiskStation Manager (DSM) before 6.1.6-15266 allows remote attackers to inject arbitrary content to have an unspecified impact by exporting an archive in CSV format.
nvd
CVE-2020-27652P4HIGHCVSS 8.3≥ 6.2, < 6.2.3-25426-2≥ unspecified, < 6.2.3-25426-22020-10-29
CVE-2020-27652 [HIGH] CWE-327 CVE-2020-27652: Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3
Algorithm downgrade vulnerability in QuickConnect in Synology DiskStation Manager (DSM) before 6.2.3-25426-2 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
nvd
CVE-2018-13286P4MEDIUMCVSS 6.5≥ 5.2, < 5.2-5967-8≥ 6.0, < 6.0.3-8754-8+3 more2019-04-01
CVE-2018-13286 [MEDIUM] CWE-276 CVE-2018-13286: Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) b
Incorrect default permissions vulnerability in synouser.conf in Synology Diskstation Manager (DSM) before 6.2-23739-1 allows remote authenticated users to obtain sensitive information via the world readable configuration.
nvd
CVE-2022-22679P4MEDIUMCVSS 4.9≥ 6.2, < 6.2.4-25556-3≥ 7.0, < 7.0.1-42218-2+1 more2022-02-07
CVE-2022-22679 [MEDIUM] CWE-22 CVE-2022-22679: Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in supp
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in support service management in Synology DiskStation Manager (DSM) before 7.0.1-42218-2 allows remote authenticated users to write arbitrary files via unspecified vectors.
nvd
CVE-2021-26563P4MEDIUMCVSS 6.7fixed in 6.2.4-25553≥ unspecified, < 6.2.4-255532021-02-26
CVE-2021-26563 [MEDIUM] CWE-863 CVE-2021-26563: Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) be
Incorrect authorization vulnerability in synoagentregisterd in Synology DiskStation Manager (DSM) before 6.2.4-25553 allows local users to execute arbitrary code via unspecified vectors.
nvd
CVE-2018-7170P4MEDIUMCVSS 5.3≥ 5.2, < 6.1.6-152662018-03-06
CVE-2018-7170 [MEDIUM] CVE-2018-7170: ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the pr
ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549.
nvd
CVE-2024-10445P4MEDIUMCVSS 5.3≥ 6.2, < 6.2.4-25556-8≥ 7.2, < 7.2-64570-4+4 more2025-03-19
CVE-2024-10445 [MEDIUM] CWE-295 CVE-2024-10445: Improper certificate validation vulnerability in the update functionality in Synology BeeStation OS
Improper certificate validation vulnerability in the update functionality in Synology BeeStation OS (BSM) before 1.1-65374 and Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6 and 7.2.2-72806-1 allow remote attackers to write limited files via unspecified vectors.
nvd
CVE-2017-16766P4MEDIUMCVSS 6.5≥ 6.0.0, < 6.0.3-8754-6≥ 6.1.0, < 6.1.4-15217+2 more2017-12-22
CVE-2017-16766 [MEDIUM] CWE-284 CVE-2017-16766: An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) befo
An improper access control vulnerability in synodsmnotify in Synology DiskStation Manager (DSM) before 6.1.4-15217 and before 6.0.3-8754-6 allows local users to inject arbitrary web script or HTML via the -fn option.
nvd