A severe security vulnerability has been identified in Synology’s DiskStation Manager (DSM) software, alarming organizations and individuals who rely on the popular network-attached storage (NAS) solution. This vulnerability enables remote attackers to read arbitrary files through the Network File System (NFS) service without needing proper authorization. Tracked as CVE-2025-1021, the flaw has been addressed in recent updates and impacts multiple versions of the DSM operating system.
1. Synology NFS Vulnerability – CVE-2025-1021
The security flaw, rated as “Important” with a CVSS3 Base Score of 7.5, stems from a missing authorization vulnerability in the “synocopy” component of Synology’s DSM. This vulnerability allows unauthenticated remote attackers to bypass security controls and access sensitive files through a writable NFS service. According to the technical details released by Synology on February 26, 2025, and updated on April 23, 2025, the vulnerability is characterized by the CVSS3 Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This vector indicates a network-exploitable vulnerability with low attack complexity, requiring no privileges or user interaction, and potentially resulting in high confidentiality impact.
The vulnerability is particularly concerning because it allows attackers to read arbitrary files without authentication, making it an appealing target for cybercriminals. Organizations using Synology NAS devices should update immediately to prevent unauthorized access to sensitive data. The discovery of this vulnerability is credited to the DEVCORE Research Team (devco.re), recognized for identifying critical security issues in enterprise software and hardware products. Their findings underscore the need for robust security measures and timely updates to protect critical infrastructure.
2. Affected Products and Remediation
The vulnerability affects several versions of Synology’s DSM operating system, necessitating swift action from users to secure their systems. Specifically, the affected versions and required updates to mitigate the risk are as follows:
- DSM 7.2.2: Users should upgrade to version 7.2.2-72806-3 or later.
- DSM 7.2.1: Users should upgrade to version 7.2.1-69057-7 or later.
- DSM 7.1: Users should upgrade to version 7.1.1-42962-8 or later.
Synology has confirmed that there are no mitigations available other than applying the updates, emphasizing the importance of prompt action. Users must ensure their systems are patched to prevent unauthorized access to sensitive information, highlighting the urgency of maintaining up-to-date security protocols in the face of evolving threats.
Security experts advise that users of Synology NAS devices take several critical steps immediately. These include checking the DSM version running on all Synology devices, applying the appropriate updates based on the current version, reviewing NFS share configurations and permissions, and monitoring system logs for any suspicious activity that might indicate previous exploitation. These measures are crucial for safeguarding data and preventing potential breaches.
3. Recommendations for Users
A critical security flaw has been discovered in Synology’s DiskStation Manager (DSM) software, causing concern among organizations and individuals who depend on this widely-used network-attached storage (NAS) solution. This vulnerability, identified as CVE-2025-1021, allows remote attackers to access and read arbitrary files via the Network File System (NFS) service without the need for proper authorization. The flaw affects numerous versions of the DSM operating system and has been rectified in recently released updates.
Synology’s DiskStation Manager is an essential tool for data storage and backup, offering a centralized platform that many rely upon. The discovery of such a significant vulnerability highlights the importance of regular software updates and patch management. Users are strongly encouraged to update to the latest DSM versions to protect their data and prevent unauthorized access. The manufacturer’s response to this issue underlines the ongoing battle against cybersecurity threats and the necessity for vigilance in managing storage solutions.
