Synology Router Manager vulnerabilities
43 known vulnerabilities affecting synology/synology_router_manager.
Total CVEs
43
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL5HIGH15MEDIUM23
Vulnerabilities
Page 1 of 3
CVE-2023-32956P2CRITICALCVSS 9.8≥ 1.3, < 1.3.1-9346-3≥ 1.2, < 1.2.5-8227-62023-05-16
CVE-2023-32956 [CRITICAL] CVE-2023-32956: Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabi
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in CGI component in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-9346-3 allows remote attackers to execute arbitrary code via unspecified vectors.
nvd
CVE-2020-27654P2CRITICALCVSS 9.8≥ unspecified, < 1.2.4-80812020-10-29
CVE-2020-27654 [CRITICAL] CWE-269 CVE-2020-27654: Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allo
Improper access control vulnerability in lbd in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to execute arbitrary commands via port (1) 7786/tcp or (2) 7787/tcp.
nvd
CVE-2020-27655P2CRITICALCVSS 10.0≥ unspecified, < 1.2.4-80812020-10-29
CVE-2020-27655 [CRITICAL] CWE-269 CVE-2020-27655: Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remo
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to access restricted resources via inbound QuickConnect traffic.
nvd
CVE-2023-41738P2HIGHCVSS 8.8≥ 1.3, < 1.3.1-9346-62023-08-31
CVE-2023-41738 [HIGH] CVE-2023-41738: Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabi
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Directory Domain Functionality in Synology Router Manager (SRM) before 1.3.1-9346-6 allows remote authenticated users to execute arbitrary commands via unspecified vectors.
nvd
CVE-2018-13285P3HIGHCVSS 8.8≥ unspecified, < 1.1.7-6941-12019-04-01
CVE-2018-13285 [HIGH] CWE-78 CVE-2018-13285: Command injection vulnerability in ftpd in Synology Router Manager (SRM) before 1.1.7-6941-1 allows
Command injection vulnerability in ftpd in Synology Router Manager (SRM) before 1.1.7-6941-1 allows remote authenticated users to execute arbitrary OS commands via the (1) MKD or (2) RMD command.
nvd
CVE-2023-32955P3HIGHCVSS 8.1≥ 1.2, < 1.2.5-8227-6≥ 1.3, < 1.3.1-9346-32023-05-16
CVE-2023-32955 [HIGH] CVE-2023-32955: Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabi
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in DHCP Client Functionality in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-9346-3 allows man-in-the-middle attackers to execute arbitrary commands via unspecified vectors.
nvd
CVE-2023-0077P3CRITICALCVSS 9.8≥ 1.2, < 1.2.5-8227-6≥ 1.3, < 1.3.1-9346-32023-01-05
CVE-2023-0077 [CRITICAL] CVE-2023-0077: Integer overflow or wraparound vulnerability in CGI component in Synology Router Manager (SRM) befor
Integer overflow or wraparound vulnerability in CGI component in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-9346-3 allows remote attackers to overflow buffers via unspecified vectors.
nvd
CVE-2024-53286P3HIGHCVSS 7.2≥ 1.3, < 1.3.1-9346-112025-07-23
CVE-2024-53286 [HIGH] CWE-78 CVE-2024-53286: Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerabi
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in DDNS Record functionality in Synology Router Manager (SRM) before 1.3.1-9346-11 allows remote authenticated users with administrator privileges to execute arbitrary code via unspecified vectors.
nvd
CVE-2024-11398P3HIGHCVSS 8.1≥ 1.3, < 1.3.1-9346-92024-12-04
CVE-2024-11398 [HIGH] CWE-22 CVE-2024-11398: Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in OTP
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in OTP reset functionality in Synology Router Manager (SRM) before 1.3.1-9346-9 allows remote authenticated users to delete arbitrary files via unspecified vectors.
nvd
CVE-2023-0142P3HIGHCVSS 8.1≥ 1.3, < 1.3.*≥ 1.2, < 1.2.*2023-06-13
CVE-2023-0142 [HIGH] CWE-427 CVE-2023-0142: Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskSt
Uncontrolled search path element vulnerability in Backup Management functionality in Synology DiskStation Manager (DSM) before 6.2.4-25556-8, 7.0.1-42218-7 and 7.1-42661 allows remote authenticated users with administrator privileges to read or write arbitrary files via unspecified vectors.
nvd
CVE-2025-29846P3HIGHCVSS 7.2≥ 1.3, < 1.3.1-9346-132025-12-04
CVE-2025-29846 [HIGH] CWE-22 CVE-2025-29846: A vulnerability in portenable cgi allows remote authenticated users to get the status of installed p
A vulnerability in portenable cgi allows remote authenticated users to get the status of installed packages.
nvd
CVE-2017-12078P3HIGHCVSS 7.2≥ unspecified, < 1.1.6-69312018-06-08
CVE-2017-12078 [HIGH] CWE-77 CVE-2017-12078: Command injection vulnerability in EZ-Internet in Synology Router Manager (SRM) before 1.1.6-6931 al
Command injection vulnerability in EZ-Internet in Synology Router Manager (SRM) before 1.1.6-6931 allows remote authenticated users to execute arbitrary command via the username parameter.
nvd
CVE-2022-43932P3HIGHCVSS 7.5≥ 1.2, < 1.2.5-8227-6≥ 1.3, < 1.3.1-9346-32023-01-05
CVE-2022-43932 [HIGH] CVE-2022-43932: Improper neutralization of special elements in output used by a downstream component ('Injection') v
Improper neutralization of special elements in output used by a downstream component ('Injection') vulnerability in CGI component in Synology Router Manager (SRM) before 1.2.5-8227-6 and 1.3.1-9346-3 allows remote attackers to read arbitrary files via unspecified vectors.
nvd
CVE-2023-2729P3HIGHCVSS 7.5≥ 1.3, < 1.3.*≥ 1.2, < 1.2.*2023-06-13
CVE-2023-2729 [HIGH] CVE-2023-2729: Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskS
Use of insufficiently random values vulnerability in User Management Functionality in Synology DiskStation Manager (DSM) before 7.2-64561 allows remote attackers to obtain user credential via unspecified vectors.
nvd
CVE-2023-41741P3HIGHCVSS 7.5≥ 1.3, < 1.3.1-9346-62023-08-31
CVE-2023-41741 [HIGH] CVE-2023-41741: Exposure of sensitive information to an unauthorized actor vulnerability in cgi component in Synolog
Exposure of sensitive information to an unauthorized actor vulnerability in cgi component in Synology Router Manager (SRM) before 1.3.1-9346-6 allows remote attackers to obtain sensitive information via unspecified vectors.
nvd
CVE-2024-39348P3HIGHCVSS 7.5≥ 1.3, < 1.3.1-9346-8≥ 1.2, < 1.2.5-8227-112024-06-28
CVE-2024-39348 [HIGH] CWE-494 CVE-2024-39348: Download of code without integrity check vulnerability in AirPrint functionality in Synology Router
Download of code without integrity check vulnerability in AirPrint functionality in Synology Router Manager (SRM) before 1.2.5-8227-11 and 1.3.1-9346-8 allows man-in-the-middle attackers to execute arbitrary code via unspecified vectors.
nvd
CVE-2020-27649P3CRITICALCVSS 9.0≥ unspecified, < 1.2.4-80812020-10-29
CVE-2020-27649 [CRITICAL] CWE-295 CVE-2020-27649: Improper certificate validation vulnerability in OpenVPN client in Synology Router Manager (SRM) bef
Improper certificate validation vulnerability in OpenVPN client in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.
nvd
CVE-2020-27651P3HIGHCVSS 8.1≥ unspecified, < 1.2.4-80812020-10-29
CVE-2020-27651 [HIGH] CWE-614 CVE-2020-27651: Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secure flag for the session cookie
Synology Router Manager (SRM) before 1.2.4-8081 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.
nvd
CVE-2017-15895P3MEDIUMCVSS 6.5vbefore 1.1.5-6542-42017-12-08
CVE-2017-15895 [MEDIUM] CWE-22 CVE-2017-15895: Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology Router Manager (SRM) b
Directory traversal vulnerability in the SYNO.FileStation.Extract in Synology Router Manager (SRM) before 1.1.5-6542-4 allows remote authenticated users to write arbitrary files via the dest_folder_path parameter.
nvd
CVE-2020-27653P3HIGHCVSS 8.3≥ unspecified, < 1.2.4-80812020-10-29
CVE-2020-27653 [HIGH] CWE-327 CVE-2020-27653: Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081
Algorithm downgrade vulnerability in QuickConnect in Synology Router Manager (SRM) before 1.2.4-8081 allows man-in-the-middle attackers to spoof servers and obtain sensitive information via unspecified vectors.
nvd
1 / 3Next →