Warning: Missing authorisation vulnerability in Synology DiskStation Manager. Patch Immediately!

• Last update: 24/04/2025
• Affected software:: Synology DiskStation Manager (DSM) before 7.1.1-42962-8, 7.2.1-69057-7 and 7.2.2-72806-3
• Type: Missing Authorisation
• CVE/CVSS
  → CVE-2025-1021: CVSS 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Sources

https://www.synology.com/en-global/security/advisory/Synology_SA_25_03

Risks

CVE-2025-1021 is a high-severity vulnerability that severely impacts the confidentiality of the affected Synology DiskStation Manager. Synology DiskStation Manager (DSM) is the operating system that powers Synology's network-attached storage (NAS) devices, providing centralised storage, backup, and file-sharing capabilities for organisations. Within DSM, Syncope is a component used for identity and access management.

A missing authorisation vulnerability in Syncope allows remote attackers to read arbitrary files without proper permissions, potentially exposing sensitive data.

Successful exploitation of this vulnerability can expose sensitive data, which could lead to identity theft or corporate espionage.

Description

A missing authorisation vulnerability in Syncope in Synology DiskStation Manager (DSM) allows remote attackers to read arbitrary files via unspecified vectors.

Recommended Actions

Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via:https://ccb.belgium.be/cert/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-1021