“Taiwan-based NAS maker Synology has addressed a maximum (10/10) severity vulnerability affecting routers configured to run as VPN servers.
The vulnerability, tracked as CVE-2022-43931, was discovered internally by Synology’s Product Security Incident Response Team (PSIRT) in the VPN Plus Server software and was given a maximum CVSS3 Base Score of 10 by the company
A vulnerability allows remote attackers to possible execute arbitrary command via a susceptible version of Synology VPN Plus Server,” Synology said in a security advisory published on Friday.
The vulnerability can be exploited in low-complexity attacks without requiring privileges on the targeted routers or user interaction.
Affected product names and versions are listed below:
- VPN Plus Server for SRM 1.2 versions before 1.4.3-0534
- VPN Plus Server for SRM 1.3 versions before 1.4.4-0635
“Multiple vulnerabilities allow remote attackers to execute arbitrary command, conduct denial-of-service attacks or read arbitrary files via a susceptible version of Synology Router Manager (SRM),” the company said at the time.
The vendor did not provide additional information or specific attack vectors related to CVE-2022-43931.
Synology have addressed multiple such high flaws in December 2022.
Since the vendor has fixed the security vulnerability, it is advised to update to versions 1.4.3-0534 for VPN Plus Server for SRM 1.2 and 1.4.4-0635 for VPN Plus Server for SRM 1.3.