A recently discovered vulnerability in Synology routers configured to run as VPN servers has been given a critical severity rating and the maximum CVSS score of 10/10. Synology is a global data management and security company specialising in network attached storage (NAS) and storage area network (SAN) devices. Synology Router Manager (SRM) is the operating system on every Synology router, including the user interface and malware detection and removal functionalities. Additional software can be applied to Synology routers to configure them to run as VPN servers using VPN Plus Server software. A recent security advisory from Synology details the affected versions. 

This maximum severity vulnerability, tracked as CVE-2022-43931, was discovered internally at Synology by their Product Security Incident Response Team (PSIRT). VPN Plus Server acts as a virtual private network that allows users to access resources remotely that are otherwise behind the router.  A remote attacker can exploit this out-of-bounds write which results in remote code execution of arbitrary commands on the device.   

There is currently no mitigation advice for this vulnerability, instead affected products should be upgraded to the most recent release version in which this vulnerability has been fixed. Users of VPN Plus Server for SRM 1.3 need to update to version 1.4.4-0635 or above, and users of VPN Plus Server for SRM 1.2 need to update to version 1.4.3-0534 or above. No other Synology products are thought to be affected by this vulnerability. However, a recent update was released last month to patch multiple critical vulnerabilities in SRM so all users should ensure that all relevant devices using SRM 1.3 have been upgraded to 1.3.1-9346-3 or above, and SRM 1.2 has been upgraded to 1.2.5-8227-6 or above even if they are not using the VPN functionality.