In the past week, a critical rating of 10 severity was detected on Synology's VPN Plus Server package, flagged as SA-22:26.

The exploit was referreing to the following:

A vulnerability allows remote attackers to possible execute arbitrary command via a susceptible version of Synology VPN Plus Server.

VPN Plus Server for both SRM 1.2 and 1.3 is affected and updated to version 1.4.3-0534 or 1.4.4-0635.

The exact details of this CVE are as follows:

  • CVE-2022-43931
  • Severity: Critical
  • CVSS3 Base Score: 10.0
  • CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors.

This issue was detected on 30.12.2022 and mitigated by Synology's internal PSIRT team on 03.01.2023.

It is highly advisable to install new versions in case this platform is in use to close this potential attack vector!

Official info is available on the security advisor page here.