Synology addresses the RCE vulnerability that affects VPN Plus servers

Threat Advisories

Synology addresses the RCE vulnerability that affects VPN Plus servers

Threat Level
Vulnerability Report

For a detailed threat advisory, download the pdf file here

Summary

Synology has addressed a flaw in VPN Plus Server that has the potential to take control affected systems. The vulnerability, identified as CVE-2022-43931, is an out-of-bounds write fault in Synology VPN Plus Server’s remote desktop feature. When exploited, it allows remote attackers to execute arbitrary commands via undefined vectors, launch denial-of-service (DoS) attacks, and read arbitrary files.