Primary

Context

Synology Drive Server Missing Authentication Vulnerability in Web API Component Allowing Credential Theft

Vulnerability

Patched

A vulnerability exists in the web API component of Synology Drive Server in several versions prior to the latest releases. This vulnerability allows remote attackers to obtain administrator credentials through unspecified methods, due to a lack of authentication for critical functions.

Impact

Exploitation of this vulnerability allows remote attackers to gain unauthorized access to administrator credentials, potentially leading to elevated privileges and access to sensitive administrative functions.

Remediation

Users can upgrade to Synology Drive Server versions 3.5.1-26102, 3.5.0-26085, 3.2.1-23280, or 3.0.4-12699, depending on their current version.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

5.0

exploitability

7.4

remediation

7.7

relevance

0.0

threat

0.1

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.3

impact

5.0

exploitability

7.4

remediation

7.7

relevance

0.0

threat

0.1

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Synology Drive Server Missing Authentication Vulnerability in Web API Component Allowing Credential Theft

Vulnerability

Impact

Remediation

Affected Products

Synology Drive Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating