By vendor

Synology vulnerabilities

Known CVEs affecting Synology products, prioritized by severity, with SEC.co remediation and detection guidance.

5 published vulnerabilities

  • CVE-2022-49036HIGH 7.8

    Synology Active Backup for Business Recovery Media Creator versions prior to 2.5.0-2081 contain a flaw where untrusted OpenSSL configuration can be loaded during operation. A local user with standard privileges can exploit this to execute arbitrary code on the system. The vulnerability stems from the application trusting configuration from a location or source that should not be trusted, creating a path for privilege escalation or lateral movement within an affected environment.

  • CVE-2022-49042HIGH 7.8

    Synology Hyper Backup Explorer contains a vulnerability that allows authenticated local users to execute arbitrary code through a flaw in how the MinGW DLL component handles untrusted libraries or code. An attacker with local access to a system running vulnerable versions can leverage this weakness to run malicious code with the privileges of the user running the application, potentially compromising data or system integrity.

  • CVE-2023-52951MEDIUM 5.9

    Synology Note Station Client versions before 2.2.4-703 transmit user credentials in cleartext over the network, allowing attackers positioned to intercept traffic—such as those on the same Wi-Fi network or controlling network infrastructure—to capture login credentials. This is a network-based credential theft vulnerability that does not require authentication or user interaction to exploit, though the attacker must be able to intercept the specific traffic.

  • CVE-2024-47273MEDIUM 4.3

    Synology Hyper Backup versions before 4.1.2-4036 contain a path traversal vulnerability in the Backup Task feature that allows an authenticated user to write files outside their intended directory. An attacker with valid credentials could exploit this to place files in restricted locations on the system, potentially compromising system integrity or enabling lateral movement.

  • CVE-2024-47263MEDIUM 4.1

    A path traversal flaw in Synology Hyper Backup's web API allows administrators who already have legitimate access to write files outside their intended directory. The vulnerability is constrained to non-sensitive file types, limiting immediate damage, but represents a control-boundary weakness that could enable privilege misuse or lateral movement in environments where admin accounts are compromised or where insider threat is a concern.