CVE-2023-52951: Synology Note Station Client Cleartext Credential Transmission Vulnerability
Synology Note Station Client versions before 2.2.4-703 transmit user credentials in cleartext over the network, allowing attackers positioned to intercept traffic—such as those on the same Wi-Fi network or controlling network infrastructure—to capture login credentials. This is a network-based credential theft vulnerability that does not require authentication or user interaction to exploit, though the attacker must be able to intercept the specific traffic.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-319
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-03 / 2026-06-17
NVD description (verbatim)
A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2023-52951 is a cleartext transmission vulnerability (CWE-319) affecting Synology Note Station Client. The application fails to encrypt user credentials during transmission, exposing them to network interception. An unauthenticated network-adjacent attacker can capture credentials by positioning themselves to observe or modify traffic between the client and server. The CVSS 3.1 score of 5.9 (Medium) reflects high confidentiality impact but no integrity or availability consequences; the AV:N vector indicates network accessibility, AC:H reflects the practical difficulty of achieving a successful man-in-the-middle position, and UI:N confirms no user interaction is required once the attacker is positioned.
Business impact
Credential compromise of Note Station users directly threatens confidentiality of personal notes, sensitive business information, and potentially linked accounts if credential reuse is common. Organizations relying on Synology Note Station for note management or integration with broader Synology infrastructure face risk of unauthorized access to user accounts. The impact is limited to confidentiality; data integrity and system availability are not directly affected by this vulnerability.
Affected systems
Synology Note Station Client versions before 2.2.4-703 are vulnerable. Verify your installed version via the application's About or Settings menu; organizations should inventory all endpoints running this client to assess exposure.
Exploitability
Exploitation requires the attacker to be network-positioned to intercept client-to-server traffic. This is practical in scenarios involving unencrypted Wi-Fi networks, compromised network segments, ARP spoofing, DNS hijacking, or ISP-level observation. The AC:H rating reflects that the attacker must overcome defenses like VPNs or network monitoring to achieve interception; however, once positioned, credential extraction is straightforward. There is no publicly disclosed evidence of active weaponization in the KEV catalog.
Remediation
Update Synology Note Station Client to version 2.2.4-703 or later immediately. This update implements encrypted transmission of credentials. After patching, consider requiring users to reset their Note Station passwords as a precaution if deployment history suggests possible interception.
Patch guidance
Synology Note Station Client is typically deployed on end-user workstations or mobile devices. Patch availability and deployment method depend on your platform (Windows, macOS, iOS, Android). Check Synology's official download page or your device's application store for version 2.2.4-703 or later. Enterprise deployments may coordinate patching through managed software distribution. Verify successful update by confirming the new version number in the application's About dialog.
Detection guidance
Monitor network traffic for unencrypted credential transmission to Synology Note Station services; look for cleartext usernames and passwords in application-level logging. On endpoints, check for Note Station Client versions below 2.2.4-703 using inventory or endpoint management tools. Review firewall and proxy logs for unencrypted Note Station client connections to confirm whether traffic is being inspected or tunneled through secure channels. Implement network segmentation and enforce TLS/VPN usage to reduce interception risk.
Why prioritize this
Although the CVSS score is Medium (5.9), this vulnerability warrants prompt attention because credentials are the keys to unauthorized access and downstream compromise. Credential theft can enable persistent access, lateral movement, and data exfiltration. The ease of exploitation in open network environments (coffee shops, public Wi-Fi, compromised corporate networks) elevates practical risk. Organizations should prioritize patching within 30 days, with higher urgency for remote workers or users on untrusted networks.
Risk score, explained
The CVSS 3.1 score of 5.9 reflects high confidentiality impact (C:H) balanced against the practical difficulty for the attacker (AC:H) and lack of availability or integrity harm. The network vector (AV:N) and no-privilege-required rating (PR:N) recognize the threat is remotely exploitable. The score appropriately captures that credential theft is serious but not as severe as remote code execution or system-wide service denial. Organizations in regulated industries (healthcare, finance) may treat this as higher priority due to compliance implications of credential exposure.
Frequently asked questions
What versions of Synology Note Station Client are affected?
All versions before 2.2.4-703 are vulnerable. If you are running 2.2.4-703 or any later version, you are not affected. Check your version in the application's settings or About menu.
Can this vulnerability steal data other than credentials?
The vulnerability specifically exposes user credentials transmitted in cleartext. An attacker must be positioned on the network path to intercept traffic. Other data (note content) may also be exposed depending on whether the application encrypts it separately; verify your encryption settings and consult Synology documentation.
Do I need to reset my password after patching?
After updating to 2.2.4-703 or later, consider resetting your Note Station password if you suspect your credentials may have been captured during the window you were running an older version. This is especially important if you used the same password elsewhere or deployed the client on a shared or untrusted network.
Does updating to 2.2.4-703 fix the cleartext transmission?
Yes, version 2.2.4-703 and later implement encrypted credential transmission. Update to this version or any subsequent release. After patching, new credential transmissions will be encrypted.
This analysis is based on publicly available information as of the publication date. Verify all patch version numbers, availability dates, and technical details against official Synology advisories and documentation. This vulnerability has not been added to the CISA KEV catalog. No exploit code or weaponized proof-of-concept is provided. Security teams should conduct their own testing and risk assessment before deploying patches in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10584MEDIUMGraph Explorer HTTPS Fallback to HTTP Vulnerability
- CVE-2026-25599MEDIUMOrca Heat Pump Unauthenticated HTTP and Stored XSS Vulnerability
- CVE-2026-36610MEDIUMMercusys AC12G EU Plaintext DDNS Credential Disclosure
- CVE-2026-43625MEDIUMCodexBar Session Cookie Leakage – Urgent Patch Required
- CVE-2026-34126HIGHTP-Link Tapo Unencrypted Bluetooth Setup Vulnerability – L535E, P300, D100C
- CVE-2024-47263MEDIUMSynology Hyper Backup Path Traversal – Admin Privilege Required
- CVE-2024-47273MEDIUMSynology Hyper Backup Path Traversal Vulnerability (4.3 MEDIUM)
- CVE-2022-49036HIGHSynology Active Backup for Business Recovery Media Creator Arbitrary Code Execution