CyberSecurityBoard
Sponsor Register Login

Critical Synology Vulnerability Let Attackers Remote Execute Arbitrary Code

CVE-2024-10445: An improper certificate validation vulnerability in the update functionality with a CVSS score of 4.3 that enables adjacent attackers to write limited files. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. This critical flaw affects multiple Synology products, including DSM versions prior to specified patched releases, BeeStation Manager (BSM), and Synology Unified Controller (DSMUC). CVE-2024-50629: A vulnerability in the web API component with a CVSS score of 5.3 that allows attackers to read limited files via unspecified vectors. The vulnerabilities were discovered by prominent security researchers including Pumpkin Chang (@u1f383) and Orange Tsai (@orange_8361) from DEVCORE Research Team, along with Ryan Emmons (@the_emmons) and Team Smoking Barrels. Synology initially released this security advisory on November 5, 2024, with subsequent updates releasing patches for various product lines. A severe vulnerability in Synology’s DiskStation Manager (DSM) allows remote attackers to execute arbitrary code with no user interaction. The flaw, disclosed during PWN2OWN 2024, received a Critical severity rating with a CVSS score of 9.8, indicating its potential for widespread exploitation. This vulnerability represents one of the most serious security issues discovered in Synology products this year. The technical vector is characterized as CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, no privileges required, no user interaction needed, and potential for high confidentiality, integrity, and availability impact. The most recent update on March 19, 2025, disclosed complete vulnerability details after providing users adequate time to update their systems. With a CVSS score of 9.8 and requiring no user authentication, attackers could potentially take complete control of vulnerable systems. Given the severity and remote exploitability of CVE-2024-10441, organizations, and individuals using Synology NAS devices should treat this update as an emergency patch. Kaaviya is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.

This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 19 Mar 2025 09:15:04 +0000


Cyber News related to Critical Synology Vulnerability Let Attackers Remote Execute Arbitrary Code

Critical Synology Vulnerability Let Attackers Remote Execute Arbitrary Code - CVE-2024-10445: An improper certificate validation vulnerability in the update functionality with a CVSS score of 4.3 that enables adjacent attackers to write limited files. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber ...
3 months ago Cybersecuritynews.com CVE-2024-10445
Synology Mail Server Let Remote Attackers Tamper System Configurations - Last year, Taiwanese security firm QI-ANXIN Group’s Codesafe Team identified multiple vulnerabilities in Synology products, demonstrating the ongoing attention these systems receive from security researchers. The security flaw, tracked as ...
3 months ago Cybersecuritynews.com CVE-2025-2848
Weekly Cyber Security News Letter - Last Week's Top Cyber Attacks & Vulnerabilities - A critical vulnerability in Windows Defender Application Control (WDAC) has been uncovered, allowing attackers to bypass strict security policies using WinDbg Preview, a Microsoft Store app. A vulnerability in the FireEye EDR agent allows attackers ...
2 months ago Cybersecuritynews.com Hunters Akira
What CIRCIA Means for Critical Infrastructure Providers and How Breach and Attack Simulation Can Help - Cyber Defense Magazine - To prepare themselves for future attacks, organizations can utilize BAS to simulate real-world attacks against their security ecosystem, recreating attack scenarios specific to their critical infrastructure sector and function within that sector, ...
9 months ago Cyberdefensemagazine.com Akira
The Exploration of Static vs Dynamic Code Analysis - Two essential methodologies employed for this purpose are Static Code Analysis and Dynamic Code Analysis. Static Code Analysis involves the examination of source code without its execution. In this exploration of Static vs Dynamic Code Analysis, ...
1 year ago Feeds.dzone.com
Opening Statement by CISA Director Jen Easterly - Chairman Gallagher, Ranking Member Krishnamoorthi, Members of the Committee, thank you for the opportunity to testify on CISA's efforts to protect the Nation from the preeminent cyber threat posed by the People's Republic of China. As America's ...
1 year ago Cisa.gov
Synology Network File System Vulnerability Let Read Any File - The vulnerability, tracked as CVE-2025-1021 and detailed in a security advisory, was resolved in recent updates and affects multiple versions of the popular network-attached storage (NAS) operating system. This vulnerability enables unauthenticated ...
2 months ago Cybersecuritynews.com CVE-2025-1021
Critical Chrome Vulnerability Let Attackers Execute Arbitrary Code - The vulnerability, which could allow attackers to execute arbitrary code through specially crafted web pages, prompted an urgent update release to address the issue before widespread exploitation. The update will roll out over the coming days and ...
3 months ago Cybersecuritynews.com CVE-2025-2476
A Plan to Protect Critical Infrastructure from 21st Century Threats - On April 30th, the White House released National Security Memorandum-22 on Critical Infrastructure Security and Resilience, which updates national policy on how the U.S. government protects and secures critical infrastructure from cyber and ...
1 year ago Cisa.gov
Veeam warns of critical bugs in Veeam ONE monitoring platform - Veeam released hotfixes today to address four vulnerabilities in the company's Veeam ONE IT infrastructure monitoring and analytics platform, two of them critical. The company assigned almost maximum severity ratings to the critical security flaws ...
1 year ago Bleepingcomputer.com CVE-2023-38547 CVE-2023-38549 CVE-2023-41723 FIN7 Cuba
Don't get hacked! Apply the right vulnerability metrics to Kubernetes scans - As you read this, I'd like you to keep in mind that CVSS was never intended to be that end-all software vulnerability scoring system. Doesn't reflect actual risk - CVSS provides a base score that represents the inherent severity of a vulnerability in ...
1 year ago Securityboulevard.com
Meta releases 'Code Llama 70B', an open-source behemoth to rival private AI development - Meta AI, the company that brought you Llama 2, the gargantuan language model that can generate anything from tweets to essays, has just released a new and improved version of its code generation model, Code Llama 70B. This updated model can write ...
1 year ago Venturebeat.com
Attacks on critical infrastructure are harbingers of war: Are we prepared? - Recent attacks on several water authorities, such as Aliquippa and St. Johns River, are putting a new spotlight on the need to protect critical infrastructure. In war, to bring a nation to its knees, attacks against power and water inflict the most ...
1 year ago Scmagazine.com
Guarding Kubernetes From the Threat Landscape - DZone - If compromised, attackers can exploit these broad permissions to manipulate deployments, introduce malicious code, gain unauthorized access to critical systems, steal sensitive data, or create backdoors for ongoing access. Part of the security ...
9 months ago Feeds.dzone.com
Master the Art of Writing Clean Codebases - As developers, we can write code that's DRY and modular by using functions, variables, classes, and comments. That's what poorly structured code feels like: confusing, frustrating, and riddled with vulnerabilities. The choice is clear: build code ...
1 year ago Feeds.dzone.com
December 2023's Most Wanted Malware- The Resurgence of Qbot - Last month, Qbot malware was employed by cybercriminals as part of a limited-scale phishing attack targeting organizations in the hospitality sector. Seeing Qbot in the wild less than four months after its distribution infrastructure was dismantled ...
1 year ago Blog.checkpoint.com
Ivanti warns of critical flaws in its Avalanche MDM solution - Ivanti has released security updates to fix 27 vulnerabilities in its Avalanche mobile device management solution, two of them critical heap overflows that can be exploited for remote command execution. Avalanche is used by enterprise admins to ...
1 year ago Bleepingcomputer.com CVE-2023-32560 CVE-2023-35078
50K WordPress sites exposed to RCE attacks by critical bug in backup plugin - A critical severity vulnerability in a WordPress plugin with more than 90,000 installs can let attackers gain remote code execution to fully compromise vulnerable websites. Known as Backup Migration, the plugin helps admins automate site backups to ...
1 year ago Bleepingcomputer.com CVE-2023-6553 CVE-2023-45124 Hunters
Over 100 WordPress Repository Plugins Affected by Shortcode-based Stored Cross-Site Scripting - On August 14, 2023, the Wordfence Threat Intelligence team began a research project to find Stored Cross-Site Scripting via Shortcode vulnerabilities in WordPress repository plugins. We found over 100 vulnerabilities across 100 plugins which affect ...
1 year ago Wordfence.com
The Last Mile of Encrypting the Web: 2023 Year in Review - At the start of 2023, we sunsetted the HTTPS Everywhere web extension. It encrypted browser communications with websites and made sure users benefited from the protection of HTTPS wherever possible. HTTPS Everywhere ended because all major browsers ...
1 year ago Eff.org
Analysis of OT cyberattacks and malwares - Let's find the answer to all the questions by looking into some history of OT attacks and malware. We systematically categorize the attacks into direct and indirect vectors. Direct attacks are those that target OT systems through the exploitation of ...
1 year ago Securityboulevard.com
Cybersecurity Weekly Recap: Latest on Attacks, Vulnerabilities, & Data Breaches - A critical SSRF vulnerability in Microsoft Power Platform’s SharePoint connector allowed attackers to impersonate users and access sensitive data. Ivanti patched a critical command injection vulnerability in its Cloud Services Appliance (CSA), ...
4 months ago Cybersecuritynews.com CVE-2025-0108 CVE-2024-53704 CVE-2024-52875 CVE-2023-20198 CVE-2023-20273 Winnti Group
9 Best DDoS Protection Service Providers for 2024 - eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More. One of the most powerful defenses an organization can employ against distributed ...
1 year ago Esecurityplanet.com
Multiple Critical Vulnerabilities in D-Link Routers Let Attackers Execute Arbitrary Code Remotely - Multiple critical vulnerabilities in D-Link router models could allow remote attackers to execute arbitrary code and gain unauthorized access to the network infrastructure. These vulnerabilities fall under CWE-121 (Stack-based Buffer Overflow) and ...
2 weeks ago Cybersecuritynews.com CVE-2025-5622
March Patch Tuesday fixes Hyper-V guest-host escape The Register - Patch Tuesday Microsoft's monthly patch drop has arrived, delivering a mere 61 CVE-tagged vulnerabilities - none listed as under active attack or already known to the public. The second critical vulnerability, CVE-2024-21408, is a denial of service ...
1 year ago Go.theregister.com CVE-2024-21408 CVE-2024-21334 CVE-2023-32282 CVE-2024-23717 CVE-2023-48788 CVE-2023-36554 CVE-2023-46717

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)