The Taiwanese NAS manufacturer Synology has eliminated the vulnerability of the maximum (10/10) severity in VPN routers, as well as vulnerabilities that were probably recently used at the Pwn2Own hacking contest.

At the end of December, the company published two new critical bulletins.

One of them describes a vulnerability affecting Synology VPN Plus, a virtual private network server that allows you to configure routers as a VPN server to provide remote access to resources.

Tracked as CVE-2022-43931, an error was detected by Synology PSIRT. The vulnerability can be exploited in low-complexity attacks without privileges on target routers or user interaction.

The error of writing abroad in the remote desktop function in Synology VPN Plus Server allows remote attackers to execute arbitrary commands through unspecified vectors, leading to serious consequences such as data corruption, system failures and code execution after memory corruption.

Synology has released updates to fix the bug and recommends that customers upgrade VPN Plus Server to the latest version available.

The second bulletin describes numerous vulnerabilities affecting Synology Router Manager (SRM), the operating system on which the company's routers operate.

Vulnerabilities can be used to execute arbitrary commands, DoS-type attacks, and read arbitrary files.

Although Synology did not specify the CVE identifiers of security vulnerabilities, reports of fixed bugs are attributed to several researchers and teams.

Moreover, at least two of them, including Gaurav Baruah and Computest, successfully demonstrated 0-day exploits targeting the Synology RT6600ax router on the first day of Pwn2Own 2022 in Toronto.