Synology Router Manager vulnerabilities

59 known vulnerabilities affecting synology/router_manager.

Total CVEs

CISA KEV

Public exploits

Exploited in wild

Severity breakdown

CRITICAL7HIGH21MEDIUM30LOW1

Vulnerabilities

Page 1 of 3

CVE-2025-29846HIGHCVSS 7.2≥ 1.3, < 1.3.1-9346v1.3.1-93462025-12-04

CVE-2025-29846 [HIGH] CWE-22 CVE-2025-29846: A vulnerability in portenable cgi allows remote authenticated users to get the status of installed p A vulnerability in portenable cgi allows remote authenticated users to get the status of installed packages.

nvd

CVE-2025-29843MEDIUMCVSS 5.4≥ 1.3, < 1.3.1-9346v1.3.1-93462025-12-04

CVE-2025-29843 [MEDIUM] CWE-22 CVE-2025-29843: A vulnerability in FileStation thumb cgi allows remote authenticated users to read/write image files A vulnerability in FileStation thumb cgi allows remote authenticated users to read/write image files.

nvd

CVE-2025-29844MEDIUMCVSS 4.3≥ 1.3, < 1.3.1-9346v1.3.1-93462025-12-04

CVE-2025-29844 [MEDIUM] CWE-22 CVE-2025-29844: A vulnerability in FileStation file cgi allows remote authenticated users to read file metadata and A vulnerability in FileStation file cgi allows remote authenticated users to read file metadata and path information.

nvd

CVE-2025-29845MEDIUMCVSS 4.3≥ 1.3, < 1.3.1-9346v1.3.1-93462025-12-04

CVE-2025-29845 [MEDIUM] CWE-22 CVE-2025-29845: A vulnerability in VideoPlayer2 subtitle cgi allows remote authenticated users to read .srt files. A vulnerability in VideoPlayer2 subtitle cgi allows remote authenticated users to read .srt files.

nvd

CVE-2024-53286HIGHCVSS 7.2≥ 1.3, < 1.3.1-9346v1.3.1-93462025-07-23

CVE-2024-53286 [HIGH] CWE-78 CVE-2024-53286: Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabi Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in DDNS Record functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to execute arbitrary code via unspecified vectors.

nvd

CVE-2024-53287MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462025-07-23

CVE-2024-53287 [MEDIUM] CWE-79 CVE-2024-53287: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in VPN Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.

nvd

CVE-2024-53288MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462025-07-23

CVE-2024-53288 [MEDIUM] CWE-79 CVE-2024-53288: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in NTP Region functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to inject arbitrary web script or HTML via unspecified vectors.

nvd

CVE-2024-53281MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462024-12-09

CVE-2024-53281 [MEDIUM] CWE-79 CVE-2024-53281: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Network WOL functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users to read or write specific files containing non-sensitive information and conduct limited denial-of-service attacks by injecting arbitrar

nvd

CVE-2024-53279MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462024-12-09

CVE-2024-53279 [MEDIUM] CWE-79 CVE-2024-53279: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in file station functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of-servic

nvd

CVE-2024-53282MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462024-12-09

CVE-2024-53282 [MEDIUM] CWE-79 CVE-2024-53282: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in WiFi Connect MAC Filter functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denia

nvd

CVE-2024-53285MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462024-12-09

CVE-2024-53285 [MEDIUM] CWE-79 CVE-2024-53285: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in DDNS Record functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of-service

nvd

CVE-2024-53280MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462024-12-09

CVE-2024-53280 [MEDIUM] CWE-79 CVE-2024-53280: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in network center policy route functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited d

nvd

CVE-2024-53283MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462024-12-09

CVE-2024-53283 [MEDIUM] CWE-79 CVE-2024-53283: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in Router Port Forward functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-of

nvd

CVE-2024-53284MEDIUMCVSS 5.9≥ 1.3, < 1.3.1-9346v1.3.1-93462024-12-09

CVE-2024-53284 [MEDIUM] CWE-79 CVE-2024-53284: Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability i Improper neutralization of input during web page generation ('Cross-site Scripting') vulnerability in WiFi Connect Setting functionality in Synology Router Manager (SRM) before 1.3.1-9346-10 allows remote authenticated users with administrator privileges to read or write specific files containing non-sensitive information and conduct limited denial-o

nvd

CVE-2024-11398HIGHCVSS 8.1≥ 1.3, < 1.3.1-9346v1.3.1-93462024-12-04

CVE-2024-11398 [HIGH] CWE-22 CVE-2024-11398: Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in OTP Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in OTP reset functionality in Synology Router Manager (SRM) before 1.3.1-9346-9 allows remote authenticated users to delete arbitrary files via unspecified vectors.

nvd

CVE-2024-39348HIGHCVSS 7.5≥ 1.2, < 1.2.5-8227≥ 1.3, < 1.3.1-9346+2 more2024-06-28

CVE-2024-39348 [HIGH] CWE-494 CVE-2024-39348: Download of code without integrity check vulnerability in AirPrint functionality in Synology Router Download of code without integrity check vulnerability in AirPrint functionality in Synology Router Manager (SRM) before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to execute arbitrary code via unspecified vectors.

nvd

CVE-2024-39347MEDIUMCVSS 5.9≥ 1.2, < 1.2.5-8227≥ 1.3, < 1.3.1-9346+2 more2024-06-28

CVE-2024-39347 [MEDIUM] CWE-276 CVE-2024-39347: Incorrect default permissions vulnerability in firewall functionality in Synology Router Manager (SR Incorrect default permissions vulnerability in firewall functionality in Synology Router Manager (SRM) before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to access highly sensitive intranet resources via unspecified vectors.

nvd

CVE-2023-41738HIGHCVSS 8.8fixed in 1.3.1-9346-62023-08-31

CVE-2023-41738 [HIGH] CVE-2023-41738: Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabi Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Directory Domain Functionality in Synology Router Manager (SRM) before 1.3.1-9346-6 allows remote authenticated users to execute arbitrary commands via unspecified vectors.

nvd

CVE-2023-41741HIGHCVSS 7.5fixed in 1.3.1-9346-62023-08-31

CVE-2023-41741 [MEDIUM] CVE-2023-41741: Exposure of sensitive information to an unauthorized actor vulnerability in cgi component in Synolog Exposure of sensitive information to an unauthorized actor vulnerability in cgi component in Synology Router Manager (SRM) before 1.3.1-9346-6 allows remote attackers to obtain sensitive information via unspecified vectors.

nvd

CVE-2023-41740MEDIUMCVSS 5.3fixed in 1.3.1-9346-62023-08-31

CVE-2023-41740 [MEDIUM] CVE-2023-41740: Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in cgi Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in cgi component in Synology Router Manager (SRM) before 1.3.1-9346-6 allows remote attackers to read specific files via unspecified vectors.

nvd

1 / 3Next →