A severe vulnerability in Synology’s DiskStation Manager (DSM) allows remote attackers to execute arbitrary code with no user interaction.
The flaw, disclosed during PWN2OWN 2024, received a Critical severity rating with a CVSS score of 9.8, indicating its potential for widespread exploitation.
The primary vulnerability, identified as CVE-2024-10441, stems from improper encoding or escaping of output in the system plugin daemon.
Critical Synology Vulnerability
This critical flaw affects multiple Synology products, including DSM versions prior to specified patched releases, BeeStation Manager (BSM), and Synology Unified Controller (DSMUC).
This vulnerability represents one of the most serious security issues discovered in Synology products this year. With a CVSS score of 9.8 and requiring no user authentication, attackers could potentially take complete control of vulnerable systems.
The technical vector is characterized as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no privileges required, no user interaction needed, and potential for high confidentiality, integrity, and availability impact.
| Risk Factors | Details |
| Affected Products | -Synology BeeStation Manager (BSM) before 1.1-65374- Synology DiskStation Manager (DSM) before 6.2.4-25556-8- DSM before 7.1.1-42962-7- DSM before 7.2-64570-4- DSM before 7.2.1-69057-6- DSM before 7.2.2-72806-1- Synology Unified Controller (DSMUC) before 3.1.4-23079 |
| Impact | Execute arbitrary code |
| Exploit Prerequisites | Network access to target |
| CVSS 3.1 Score | 9.8 Critical |
Medium-Severity Issues
CVE-2024-50629: A vulnerability in the web API component with a CVSS score of 5.3 that allows attackers to read limited files via unspecified vectors.
CVE-2024-10445: An improper certificate validation vulnerability in the update functionality with a CVSS score of 4.3 that enables adjacent attackers to write limited files.
The vulnerabilities were discovered by prominent security researchers including Pumpkin Chang (@u1f383) and Orange Tsai (@orange_8361) from DEVCORE Research Team, along with Ryan Emmons (@the_emmons) and Team Smoking Barrels.
Affected Products and Remediation
Synology has released patches for all affected products. Users are strongly advised to update to the following versions:
- DSM 7.2.2: Upgrade to 7.2.2-72806-1 or above
- DSM 7.2.1: Upgrade to 7.2.1-69057-6 or above
- DSM 7.2: Upgrade to 7.2-64570-4 or above
- DSM 7.1: Upgrade to 7.1.1-42962-7 or above
- DSM 6.2: Upgrade to 6.2.4-25556-8 or above
- DSMUC 3.1: Upgrade to 3.1.4-23079 or above
Notably, no mitigations are available other than applying the updates, underscoring the importance of immediate patching.
“The fact that such critical flaws existed in widely deployed storage systems should remind organizations to keep security at the forefront of their product development.”
Given the severity and remote exploitability of CVE-2024-10441, organizations, and individuals using Synology NAS devices should treat this update as an emergency patch.
Exposed, unpatched systems could be compromised through automated scanning and exploitation attempts.
Synology initially released this security advisory on November 5, 2024, with subsequent updates releasing patches for various product lines.
The most recent update on March 19, 2025, disclosed complete vulnerability details after providing users adequate time to update their systems.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
