Issued: Thursday, 5 January, 2023 |
Last Revision: Thursday, 5 January, 2023 |
Vendor: |
Product: |
Severity Level: |
Synology had published two new critical advisories. One of them describes an internally discovered vulnerability affecting Synology VPN Plus Server, which turns routers into an advanced VPN server.
The security hole, tracked as CVE-2022-43931, is an out-of-bounds write issue in the remote desktop functionality of VPN Plus Server. It can allow a remote attacker to execute arbitrary commands.
The second advisory describes multiple vulnerabilities impacting the Synology Router Manager (SRM), the operating system that powers the firm’s routers. The flaws can be exploited for arbitrary command execution, denial-of-service (DoS) attacks, and reading arbitrary files.
CVE/Vulnerability | Affected Products | Description | CVSSv3 Score | Exploitable |
CVE-2022-43931
| VPN Plus Server for SRM 1.3 & 1.2 | Out-ofbounds write vulnerability in Remote Desktop Functionality | 10 | No |
Organization are encouraged to upgrade the affected version to latest version.