Synology Issues Critical Security Patches for Multiple Products: Remote Code Execution and Information Disclosure Vulnerabilities

Urgent Security Advisory: Multiple Critical Vulnerabilities Discovered in Synology Products

Synology has issued a series of critical security advisories on March 19, 2025, highlighting vulnerabilities affecting several of its popular products, including DiskStation Manager (DSM), BeeStation Manager (BSM), and Unified Controller (DSMUC). These flaws, if left unpatched, could leave systems open to remote exploitation and unauthorized access.

Overview of Discovered Vulnerabilities:

1. CVE-2024-10441: Remote Code Execution (RCE) Vulnerability

   • Severity: CVSS 9.8 (Critical)
   • Description: A severe flaw in the system plugin daemon allows remote attackers to execute arbitrary code, potentially taking complete control over affected devices. The vulnerability impacts multiple versions of DSM, BSM, and DSMUC, and could result in system compromise.
   • Affected Versions:
     • DSM 7.2.2 and earlier
     • BSM 1.0 and 1.1
     • DSMUC 3.0 and 3.1
   • Fix: Affected users are strongly advised to update their systems to the latest versions to protect against remote code execution risks.

2. CVE-2024-50629: Improper File Access Vulnerability

   • Severity: CVSS 5.3 (Medium)
   • Description: Improper encoding within the web API component of affected Synology products allows unauthorized attackers to read sensitive files. This vulnerability could result in information leakage and unauthorized access to important system files.
   • Affected Versions:
     • DSM versions 6.2, 7.1, and 7.2
     • BSM 1.0 and 1.1
     • DSMUC 3.0 and 3.1
   • Fix: Users should update their systems to the latest patches to prevent unauthorized file access.

3. CVE-2024-10445: Improper Certificate Validation

   • Severity: CVSS 4.3 (Medium)
   • Description: This vulnerability stems from improper certificate validation in the update functionality, enabling remote attackers to potentially write limited files on the system. Exploiting this issue could impact the integrity of the system’s data and configuration.
   • Affected Versions:
     • DSM 7.2, 7.1, and earlier
     • BSM 1.0 and 1.1
     • DSMUC 3.0 and 3.1
   • Fix: To mitigate the risk, users are urged to upgrade to the latest secure versions immediately.

4. CVE-2024-11131: Out-of-Bounds Read in Camera Firmware

   • Severity: CVSS 9.8 (Critical)
   • Description: An out-of-bounds read vulnerability in Synology's camera firmware allows attackers to execute arbitrary code remotely. This issue poses a significant risk to users with affected camera models, potentially leading to device compromise.
   • Affected Models:
     • BC500, CC400W, and TC500 cameras (Firmware versions prior to 1.2.0-0525)
   • Fix: Users should upgrade their camera firmware to version 1.2.0-0525 or later to resolve this critical issue.

Security Recommendations:

Synology recommends that all users of affected products immediately upgrade to the latest patched versions to protect against these vulnerabilities. The company has released detailed advisories and update instructions, which should be followed to mitigate the risk of exploitation.

Critical Updates Available For:

• DSM versions 7.2.2, 7.2.1, 7.2, 7.1, and 6.2
• BSM versions 1.0 and 1.1
• DSMUC versions 3.0 and 3.1

Users must act quickly to ensure their systems are no longer vulnerable to these significant threats.

Conclusion:

With the increasing number of cyberattacks targeting critical infrastructure, it’s vital that Synology users take immediate action. Failing to apply these updates could expose systems to potential remote attacks, unauthorized data access, and significant damage to the device’s integrity.

For detailed information and to download the necessary updates, visit Synology’s official security advisory pages.