A major security flaw in Synology’s DiskStation Manager (DSM) software could allow remote attackers to take full control of affected systems—no user interaction required.
Synology, a leading provider of network-attached storage (NAS) systems used by businesses and individuals for secure file storage and backup, confirmed the vulnerability after it was publicly demonstrated at the Pwn2Own hacking contest earlier this year. The flaw, identified as CVE-2024-10441, has been given a near-maximum severity score of 9.8 out of 10 by the Common Vulnerability Scoring System (CVSS), indicating it could have devastating effects if left unpatched.
The vulnerability lies in the system plugin daemon, which fails to properly handle output encoding. This allows attackers to run arbitrary commands on vulnerable systems from anywhere on the internet. Synology has also disclosed two additional vulnerabilities: one that could allow attackers to read limited files (CVE-2024-50629) and another that could let nearby attackers write files due to poor certificate validation (CVE-2024-10445).
Security researchers from DEVCORE, Team Smoking Barrels, and independent expert Ryan Emmons were among those who discovered the flaws.
Synology has released security updates to fix the issues in all affected versions of DSM, including versions 6.2 through 7.2.2. Users are urged to upgrade immediately, as there are no temporary workarounds available. Synology’s full security advisory is available on their website: [Synology SA-25:01](https://www.synology.com/en-us/security/advisory/Synology_SA_25_01).
With Synology NAS devices widely used in corporate environments and small offices for sensitive data storage, the risk of compromise is high if patches are not applied quickly.
