Synology has eliminated a critical vulnerability in VPN routers

The Taiwanese manufacturer eliminated the vulnerability, which scored 10 points out of 10 possible on the CVSS vulnerability assessment scale. The problem affected routers configured to work as VPN servers using Synology VPN Plus Server.

The vulnerability received the identifier CVE-2022-43931 and is described as an out-of-bounds entry error related to remote desktop functions in Synology VPN Plus Server.

The manufacturer said that the successful operation of the bug, discovered by the company's own security team, "allows remote attackers to execute arbitrary commands through arbitrary vectors." At the same time, it is known that exploiting the vulnerability does not require privileges on target routers or any interaction with the user.

As a result, users of VPN Plus Server for Synology Router Manager (SRM) 1.2 and VPN Plus Server for SRM 1.3 are recommended to upgrade to versions 1.4.3-0534 and 1.4.4-0635 as soon as possible.