Synology Patches Critical Remote Code Execution Flaw in DSM Software
Synology has released an urgent security update for its DiskStation Manager (DSM) software to address a critical vulnerability (CVE-2026-32746) that could allow unauthenticated remote attackers to execute arbitrary commands on affected network-attached storage (NAS) devices. The flaw, tracked under advisory Synology-SA-26:03, carries a CVSS score of 9.8, classifying it as a severe risk.
The vulnerability stems from a buffer overflow defect (CWE-120) in the telnetd service of the GNU Inetutils package, specifically within the LINEMODE SLC suboption handler. Due to improper memory buffer checks in the add_slc function, attackers can exploit this flaw to trigger an out-of-bounds write, enabling remote code execution without authentication.
Given that NAS devices often store sensitive business backups and personal data, successful exploitation could lead to ransomware deployment, data theft, or lateral movement within internal networks. The issue affects multiple DSM versions, including 7.3, 7.2.2, and 7.2.1, though patches are available for most. Some specialized systems, such as DSMUC 3.1, remain under active fix development.
Synology has provided immediate mitigation steps for unpatched devices, urging administrators to disable the Telnet service via the Control Panel’s Terminal settings. Unaffected platforms include BeeStation OS 1.4, Synology Router Manager (SRM) 1.3, and VS600HD 1.2. The company emphasizes replacing legacy protocols like Telnet with encrypted alternatives such as SSH.
Source: https://gbhackers.com/synology-diskstation-manager-vulnerability/
Synology cybersecurity rating report: https://www.rankiteo.com/company/synology
"id": "SYN1774513446",
"linkid": "synology",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology (NAS and Data Storage '
'Solutions)',
'name': 'Synology',
'type': 'Company'}],
'attack_vector': 'Network',
'data_breach': {'data_exfiltration': 'Potential',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Sensitive business backups and '
'personal data'},
'description': 'Synology has released an urgent security update for its '
'DiskStation Manager (DSM) software to address a critical '
'vulnerability (CVE-2026-32746) that could allow '
'unauthenticated remote attackers to execute arbitrary '
'commands on affected network-attached storage (NAS) devices. '
'The flaw stems from a buffer overflow defect in the telnetd '
'service of the GNU Inetutils package, enabling remote code '
'execution without authentication. Successful exploitation '
'could lead to ransomware deployment, data theft, or lateral '
'movement within internal networks.',
'impact': {'data_compromised': 'Sensitive business backups and personal data',
'operational_impact': 'Potential ransomware deployment, data '
'theft, or lateral movement within internal '
'networks',
'systems_affected': 'Network-attached storage (NAS) devices'},
'post_incident_analysis': {'corrective_actions': 'Patch management, disable '
'vulnerable services, adopt '
'encrypted protocols',
'root_causes': 'Buffer overflow defect (CWE-120) '
'in the telnetd service of GNU '
'Inetutils package due to improper '
'memory buffer checks in the '
'`add_slc` function'},
'ransomware': {'data_encryption': 'Potential',
'data_exfiltration': 'Potential'},
'recommendations': 'Disable Telnet service, apply security patches, replace '
'Telnet with encrypted alternatives like SSH',
'references': [{'source': 'Synology Advisory'}],
'response': {'containment_measures': 'Disable the Telnet service via Control '
'Panel’s Terminal settings',
'remediation_measures': 'Apply security patches for DSM versions '
'7.3, 7.2.2, and 7.2.1; replace Telnet '
'with SSH'},
'title': 'Synology Patches Critical Remote Code Execution Flaw in DSM '
'Software',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2026-32746 (Buffer Overflow - CWE-120)'}