Synology Issues Critical Alert for Router VPN Software
Take action: Please update your Synology VPN Plus Server to patch version 1.4.6-0685 to remediate the risk of exploitation. By the very nature of the VPN server, it is exposed to the internet and if the exploit becomes widely known there will be a lot of automated scanners and attacks. There is no workaround nor interim countermeasures.
Learn More
Synology has issued a notification regarding a significant security vulnerability found in its well-known router VPN software, due to the classification of the severity by a cybersecurity agency as "critical"
The vulnerability pertains to the VPN Plus Server software used in Synology's routers with the SRM 1.2 operating system. Exploiting this vulnerability enables attackers to remotely execute SQL commands and gain unauthorized access to manipulate files. While specific details are undisclosed to prevent exploitation in the wild, there is a dispute in the severity of the issue:
- Synology categorizes the severity of the vulnerability as "moderate,"
- The German cybersecurity agency BSI rates it as "critical" with a CVSS base score of 9.1.
Synology has promptly addressed the issue by releasing patch version 1.4.6-0685, effectively resolving the vulnerability present in both the 1.2 and 1.3 versions of the operating system. The company does not provide interim countermeasures against the vulnerability.
