CVE-2024-10441

Name of the Vulnerable Software and Affected Versions Synology BeeStation Manager (BSM) versions prior to 1.1-65374 Synology DiskStation Manager (DSM) versions prior to 6.2.4-25556-8, 7.1.1-42962-7, 7.2-64570-4, 7.2.1-69057-6, and 7.2.2-72806-1 Synology Unified Controller (DSMUC) versions prior to 3.1.4-23079

Description An issue exists in the system plugin daemon of Synology BeeStation Manager (BSM), Synology DiskStation Manager (DSM), and Synology Unified Controller (DSMUC) due to improper encoding or escaping of output. This can allow a remote attacker to execute arbitrary code. The vulnerability was discovered during the Pwn2Own competition and is associated with a critical severity rating. Exploitation of this issue has been observed in attacks targeting TrustWallet infrastructure, where a compromised Synology NAS running a vulnerable version of DSM was identified. The root cause is related to improper neutralization of argument delimiters in Vue.JS.

Recommendations Update Synology BeeStation Manager to version 1.1-65374 or later. Update Synology DiskStation Manager to version 6.2.4-25556-8 or later. Update Synology DiskStation Manager to version 7.1.1-42962-7 or later. Update Synology DiskStation Manager to version 7.2-64570-4 or later. Update Synology DiskStation Manager to version 7.2.1-69057-6 or later. Update Synology DiskStation Manager to version 7.2.2-72806-1 or later. Update Synology Unified Controller to version 3.1.4-23079 or later.