Critical Vulnerability in Synology Virtual Private Network (VPN) Plus Servers

Published on 04 Jan 2023

Updated on 04 Jan 2023

Synology has released security patches to address a critical out-of-bounds write vulnerability (CVE-2022-43931). The vulnerability is found in Remote Desktop Functionality in Synology VPN Plus Server versions before 1.4.3-0534 and 1.4.4-0635 and has a Common Vulnerability Scoring System (CVSSv3) score of 10 out of 10.

Successful exploitation of the vulnerability could allow remote attackers to execute arbitrary commands.

Users are advised to upgrade to the following versions immediately:

  • 1.4.3-0534 or above for VPN Plus Server for SRM 1.2
  • 1.4.4-0635 or above for VPN Plus Server for SRM 1.3

 

More information is available here:

https://www.synology.com/en-us/security/advisory/Synology_SA_22_26

https://www.bleepingcomputer.com/news/security/synology-fixes-maximum-severity-vulnerability-in-vpn-routers/