A critical Cross-Site Request Forgery (CSRF) vulnerability, identified as CVE-2024-45538, affects certain Synology products, including DiskStation Manager (DSM) and Unified Controller (DSMUC). If exploited, this flaw could allow a remote attacker to trick an authenticated administrator into executing arbitrary code, potentially leading to a complete compromise of the affected device and the data it stores. The vulnerability carries a critical severity rating, underscoring the urgency for immediate remediation.

This vulnerability is a Cross-Site Request Forgery (CSRF) flaw within the WebAPI Framework of the affected Synology products. An attacker can exploit this by crafting a malicious webpage or link and tricking a user who is currently authenticated to the Synology device's management interface into visiting it. When the victim's browser accesses the malicious content, it automatically sends a forged, malicious request to the vulnerable Synology device's WebAPI. Because the request is sent from an authenticated user's browser, the device trusts it and executes the embedded command, leading to arbitrary code execution with the privileges of the victim user.

This vulnerability is rated as critical severity with a CVSS score of 9.6. Successful exploitation could lead to a complete compromise of the affected Synology device. The business impact is severe and includes the potential for theft of sensitive corporate or personal data, deployment of ransomware to encrypt or destroy backups and files, and disruption of critical business operations that rely on the device for file sharing and storage. Furthermore, a compromised device could be used as a pivot point for attackers to launch further attacks against the internal network, escalating the security incident significantly.

Immediate Action: Immediately update affected Synology DiskStation Manager (DSM) and Synology Unified Controller (DSMUC) installations to a patched version (DSM 7.2.1-69057-2, DSM 7.2.2-72806, DSMUC 3.1.4-23079, or later) as recommended by the vendor. After patching, it is crucial to monitor for any signs of exploitation attempts and thoroughly review system and access logs for unusual activity that may have occurred prior to patching.

Proactive Monitoring:

• Review web server access logs on the Synology device for unusual or unexpected requests to WebAPI endpoints, paying close attention to requests originating from suspicious or unknown referrers.
• Monitor for unauthorized configuration changes, the creation of new user accounts, or unexpected scheduled tasks.
• Scrutinize outbound network traffic from the Synology device for connections to command-and-control (C2) servers or other unfamiliar IP addresses.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Restrict administrative access to the DSM/DSMUC management interface to a dedicated and trusted network segment or specific IP addresses.
• Enforce a strict policy for administrators to log out of the management interface immediately after use to minimize the time window for a CSRF attack.
• Educate administrators on the risks of phishing and encourage cautious browsing habits, especially when logged into critical systems.

Public Exploit Available: false

Given the critical CVSS score of 9.6 and the potential for complete system compromise, it is strongly recommended that organizations immediately identify all vulnerable Synology DSM and DSMUC devices and apply the necessary security updates. Due to the nature of the vulnerability, the attack can be initiated with minimal user interaction, posing a significant and immediate risk to data confidentiality, integrity, and availability. Although this vulnerability is not currently listed on the CISA KEV catalog, its severity warrants treating it with the highest priority for remediation.