CyberSecurityBoard
Sponsor Register Login

Critical Synology Vulnerability Let Attackers Remote Execute Arbitrary Code

CVE-2024-10445: An improper certificate validation vulnerability in the update functionality with a CVSS score of 4.3 that enables adjacent attackers to write limited files. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This critical flaw affects multiple Synology products, including DSM versions prior to specified patched releases, BeeStation Manager (BSM), and Synology Unified Controller (DSMUC). CVE-2024-50629: A vulnerability in the web API component with a CVSS score of 5.3 that allows attackers to read limited files via unspecified vectors. The vulnerabilities were discovered by prominent security researchers including Pumpkin Chang (@u1f383) and Orange Tsai (@orange_8361) from DEVCORE Research Team, along with Ryan Emmons (@the_emmons) and Team Smoking Barrels. Synology initially released this security advisory on November 5, 2024, with subsequent updates releasing patches for various product lines. A severe vulnerability in Synology’s DiskStation Manager (DSM) allows remote attackers to execute arbitrary code with no user interaction. The flaw, disclosed during PWN2OWN 2024, received a Critical severity rating with a CVSS score of 9.8, indicating its potential for widespread exploitation. This vulnerability represents one of the most serious security issues discovered in Synology products this year. The technical vector is characterized as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no privileges required, no user interaction needed, and potential for high confidentiality, integrity, and availability impact. The most recent update on March 19, 2025, disclosed complete vulnerability details after providing users adequate time to update their systems. With a CVSS score of 9.8 and requiring no user authentication, attackers could potentially take complete control of vulnerable systems. Given the severity and remote exploitability of CVE-2024-10441, organizations, and individuals using Synology NAS devices should treat this update as an emergency patch. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 19 Mar 2025 09:15:04 +0000


Cyber News related to Critical Synology Vulnerability Let Attackers Remote Execute Arbitrary Code

Critical Synology Vulnerability Let Attackers Remote Execute Arbitrary Code - CVE-2024-10445: An improper certificate validation vulnerability in the update functionality with a CVSS score of 4.3 that enables adjacent attackers to write limited files. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber ...
8 months ago Cybersecuritynews.com CVE-2024-10445
Synology Mail Server Let Remote Attackers Tamper System Configurations - Last year, Taiwanese security firm QI-ANXIN Group’s Codesafe Team identified multiple vulnerabilities in Synology products, demonstrating the ongoing attention these systems receive from security researchers. The security flaw, tracked as ...
8 months ago Cybersecuritynews.com CVE-2025-2848
Synology fixes Beestation zero-days demoed at Pwn2Own Ireland - Synology has released critical security patches addressing zero-day vulnerabilities in its Beestation NAS devices, which were recently demonstrated at the Pwn2Own Ireland hacking competition. These zero-days, exploited by security researchers during ...
3 weeks ago Bleepingcomputer.com CVE-2023-XXXX CVE-2023-YYYY
Weekly Cyber Security News Letter - Last Week's Top Cyber Attacks & Vulnerabilities - A critical vulnerability in Windows Defender Application Control (WDAC) has been uncovered, allowing attackers to bypass strict security policies using WinDbg Preview, a Microsoft Store app. A vulnerability in the FireEye EDR agent allows attackers ...
7 months ago Cybersecuritynews.com Hunters Akira
Synology Beestation 0-Day Vulnerability Exposes NAS Devices to Remote Attacks - A critical zero-day vulnerability has been discovered in Synology's Beestation NAS devices, exposing users to potential remote code execution attacks. This flaw allows attackers to bypass authentication mechanisms and gain unauthorized access to ...
3 weeks ago Cybersecuritynews.com CVE-2024-XXXX
What CIRCIA Means for Critical Infrastructure Providers and How Breach and Attack Simulation Can Help - Cyber Defense Magazine - To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, ...
1 year ago Cyberdefensemagazine.com Akira
The Exploration of Static vs Dynamic Code Analysis - Two essential methodologies employed for this purpose are Static Code Analysis and Dynamic Code Analysis. Static Code Analysis involves the examination of source code without its execution. In this exploration of Static vs Dynamic Code Analysis, ...
1 year ago Feeds.dzone.com
Synology Network File System Vulnerability Let Read Any File - The vulnerability, tracked as CVE-2025-1021 and detailed in a security advisory, was resolved in recent updates and affects multiple versions of the popular network-attached storage (NAS) operating system. This vulnerability enables unauthenticated ...
7 months ago Cybersecuritynews.com CVE-2025-1021
Authorities Dismantled “Diskstation” Ransomware Attacking Synology NAS Devices Worldwide - The collaborative effort included cyber crime units from Italy, France, and Romania, each contributing expertise in different aspects of the investigation including digital forensics, cryptocurrency analysis, and cross-border legal procedures. The ...
4 months ago Cybersecuritynews.com
Opening Statement by CISA Director Jen Easterly - Chairman Gallagher, Ranking Member Krishnamoorthi, Members of the Committee, thank you for the opportunity to testify on CISA's efforts to protect the Nation from the preeminent cyber threat posed by the People's Republic of China. As America's ...
1 year ago Cisa.gov
Critical Chrome Vulnerability Let Attackers Execute Arbitrary Code - The vulnerability, which could allow attackers to execute arbitrary code through specially crafted web pages, prompted an urgent update release to address the issue before widespread exploitation. The update will roll out over the coming days and ...
8 months ago Cybersecuritynews.com CVE-2025-2476
Weekly Cybersecurity Newsletter: Chrome 0-Day, VMware Flaws Patched, Fortiweb Hack, Teams Abuse, and More - Google has issued an emergency security update for its Chrome browser to address a critical zero-day vulnerability, CVE-2025-6558, that is being actively exploited in the wild. The Node.js project released security updates on July 15, 2025, to fix ...
4 months ago Cybersecuritynews.com CVE-2025-6558
Veeam warns of critical bugs in Veeam ONE monitoring platform - Veeam released hotfixes today to address four vulnerabilities in the company's Veeam ONE IT infrastructure monitoring and analytics platform, two of them critical. The company assigned almost maximum severity ratings to the critical security flaws ...
2 years ago Bleepingcomputer.com CVE-2023-38547 CVE-2023-38549 CVE-2023-41723 FIN7 Cuba
A Plan to Protect Critical Infrastructure from 21st Century Threats - On April 30th, the White House released National Security Memorandum-22 on Critical Infrastructure Security and Resilience, which updates national policy on how the U.S. government protects and secures critical infrastructure from cyber and ...
1 year ago Cisa.gov
Don't get hacked! Apply the right vulnerability metrics to Kubernetes scans - As you read this, I'd like you to keep in mind that CVSS was never intended to be that end-all software vulnerability scoring system. Doesn't reflect actual risk - CVSS provides a base score that represents the inherent severity of a vulnerability in ...
1 year ago Securityboulevard.com
CVE-2025-39914 - In the Linux kernel, the following vulnerability has been resolved: ...
2 months ago
Meta releases 'Code Llama 70B', an open-source behemoth to rival private AI development - Meta AI, the company that brought you Llama 2, the gargantuan language model that can generate anything from tweets to essays, has just released a new and improved version of its code generation model, Code Llama 70B. This updated model can write ...
1 year ago Venturebeat.com
Master the Art of Writing Clean Codebases - As developers, we can write code that's DRY and modular by using functions, variables, classes, and comments. That's what poorly structured code feels like: confusing, frustrating, and riddled with vulnerabilities. The choice is clear: build code ...
1 year ago Feeds.dzone.com
Over 100 WordPress Repository Plugins Affected by Shortcode-based Stored Cross-Site Scripting - On August 14, 2023, the Wordfence Threat Intelligence team began a research project to find Stored Cross-Site Scripting via Shortcode vulnerabilities in WordPress repository plugins. We found over 100 vulnerabilities across 100 plugins which affect ...
1 year ago Wordfence.com
Guarding Kubernetes From the Threat Landscape - DZone - If compromised, attackers can exploit these broad permissions to manipulate deployments, introduce malicious code, gain unauthorized access to critical systems, steal sensitive data, or create backdoors for ongoing access. Part of the security ...
1 year ago Feeds.dzone.com
The Last Mile of Encrypting the Web: 2023 Year in Review - At the start of 2023, we sunsetted the HTTPS Everywhere web extension. It encrypted browser communications with websites and made sure users benefited from the protection of HTTPS wherever possible. HTTPS Everywhere ended because all major browsers ...
1 year ago Eff.org
December 2023's Most Wanted Malware- The Resurgence of Qbot - Last month, Qbot malware was employed by cybercriminals as part of a limited-scale phishing attack targeting organizations in the hospitality sector. Seeing Qbot in the wild less than four months after its distribution infrastructure was dismantled ...
1 year ago Blog.checkpoint.com
Ivanti warns of critical flaws in its Avalanche MDM solution - Ivanti has released security updates to fix 27 vulnerabilities in its Avalanche mobile device management solution, two of them critical heap overflows that can be exploited for remote command execution. Avalanche is used by enterprise admins to ...
1 year ago Bleepingcomputer.com CVE-2023-32560 CVE-2023-35078
Attacks on critical infrastructure are harbingers of war: Are we prepared? - Recent attacks on several water authorities, such as Aliquippa and St. Johns River, are putting a new spotlight on the need to protect critical infrastructure. In war, to bring a nation to its knees, attacks against power and water inflict the most ...
1 year ago Scmagazine.com
Analysis of OT cyberattacks and malwares - Let's find the answer to all the questions by looking into some history of OT attacks and malware. We systematically categorize the attacks into direct and indirect vectors. Direct attacks are those that target OT systems through the exploitation of ...
1 year ago Securityboulevard.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)