PT-2025-11654 · Synology · Synology Unified Controller+2

Published

2024-11-05

·

Updated

2025-11-17

·

CVE-2024-10445

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Name of the Vulnerable Software and Affected Versions Synology BeeStation Manager (BSM) versions 1.1-65374 and earlier Synology DiskStation Manager (DSM) versions prior to 6.2.4-25556-8 Synology DiskStation Manager (DSM) versions prior to 7.1.1-42962-7 Synology DiskStation Manager (DSM) versions prior to 7.2-64570-4 Synology DiskStation Manager (DSM) versions prior to 7.2.1-69057-6 Synology DiskStation Manager (DSM) versions prior to 7.2.2-72806-1 Synology Unified Controller (DSMUC) versions prior to 3.1.4-23079
Description The issue is related to improper certificate validation in the update functionality, allowing remote attackers to write limited files via unspecified vectors.
Recommendations For Synology BeeStation Manager (BSM) versions 1.1-65374 and earlier, update to version 1.1-65374 or later. For Synology DiskStation Manager (DSM) versions prior to 6.2.4-25556-8, update to version 6.2.4-25556-8 or later. For Synology DiskStation Manager (DSM) versions prior to 7.1.1-42962-7, update to version 7.1.1-42962-7 or later. For Synology DiskStation Manager (DSM) versions prior to 7.2-64570-4, update to version 7.2-64570-4 or later. For Synology DiskStation Manager (DSM) versions prior to 7.2.1-69057-6, update to version 7.2.1-69057-6 or later. For Synology DiskStation Manager (DSM) versions prior to 7.2.2-72806-1, update to version 7.2.2-72806-1 or later. For Synology Unified Controller (DSMUC) versions prior to 3.1.4-23079, update to version 3.1.4-23079 or later.

Fix

RCE

Improper Certificate Validation

Weakness Enumeration

CWE-295

Related Identifiers

BDU:2025-03799
CVE-2024-10445
ZDI-25-209
ZDI-25-210
ZDI-25-269

Affected Products

Synology Beestation Manager
Synology Diskstation Manager
Synology Unified Controller