- Synology warned users regarding a CVSS 10 vulnerability affecting its VPN Plus Server for SRM products.
- The vulnerability allows remote attackers to execute arbitrary commands via a susceptible version of Synology VPN Plus Server.
- It is an out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635.
Synology released an update to fix a maximum severity vulnerability that has a CVSS3 score of 10. The vulnerability affects routers that are configured to run as VPN servers. The vulnerability, tracked as CVE-2022-43931, allows remote attackers to execute arbitrary commands via a susceptible version of Synology VPN Plus Server.
CVSS3 score 10
The vulnerability, discovered by the company’s Product Security Incident Response Team, is an out-of-bounds write vulnerability found in Remote Desktop Functionality in Synology VPN Plus Server, allowing remote attackers to execute arbitrary commands via unspecified vectors. The vulnerability impacts:
- VPN Plus Server for SRM 1.2
- VPN Plus Server for SRM 1.3
The vulnerability has the highest possible severity thus, users are urged to download and install the fix as soon as possible. The issue is fixed in version 1.4.4-0635 or above and 1.4.3-0534 or above.