Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected) allows remote attackers to bypass authentication with prior knowledge of the distinguished name (DN).
AnalysisAI
Authentication bypass in Synology DiskStation Manager (DSM) SSO lets remote, unauthenticated attackers who already know a valid account's distinguished name (DN) impersonate that identity and gain access to the NAS, with high confidentiality, integrity, and availability impact (CVSS 8.1). The flaw stems from an improper check of an exceptional condition (CWE-754) in the single sign-on flow. There is no public exploit identified at time of analysis, and the EPSS probability is very low (0.05%, 17th percentile), consistent with the high attack complexity Synology assigned.
Technical ContextAI
The affected component is the single sign-on (SSO) subsystem of Synology DiskStation Manager (DSM), the web-based operating system for Synology NAS appliances. The root cause is classified as CWE-754 (Improper Check for Unusual or Exceptional Conditions): a code path in the SSO authentication logic fails to properly validate or handle an exceptional state, so an attacker who supplies a known distinguished name (DN) - the LDAP/directory-style identifier of an existing principal - can pass the authentication gate without supplying valid credentials. The distinguished name is a directory-service concept, indicating the SSO integration ties into a directory backend where DNs identify users; knowledge of a valid DN is the gating prerequisite the CVSS team modeled as high attack complexity (AC:H). No CPE strings were supplied in the input, so exact platform identifiers cannot be enumerated beyond the DSM version ranges provided.
RemediationAI
Apply the vendor-released patch: upgrade DSM to 7.3.1-86003-1 (for the 7.3 branch) or 7.2.2-72806-5 (for the 7.2.2 branch); DSM 7.2.1-69057 is already unaffected and can serve as a known-good baseline if upgrade scheduling is constrained. Because the vulnerability lives in the SSO flow, an effective interim compensating control is to disable SSO on the DSM instance until patching, which closes the exploitable path at the cost of removing single sign-on convenience for users. Additionally, restrict network exposure of the DSM web/SSO interface - do not expose DSM directly to the internet; place it behind a VPN or restrict the management interface to trusted source IPs, which limits who can reach the vulnerable endpoint but does not remediate the flaw itself. Treat any directory distinguished names as sensitive to reduce the chance an attacker can satisfy the DN precondition. See the Synology advisory at https://www.synology.com/en-global/security/advisory/Synology_SA_25_14 for authoritative fixed-version details.
webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before
Command injection vulnerability in smart.cgi in Synology DiskStation Manager (DSM) before 5.2-5967-5 allows remote authe
An information exposure vulnerability in forget_passwd.cgi in Synology DiskStation Manager (DSM) before 6.1.3-15152 allo
Synology Video Station before 1.5-0763 allows remote attackers to execute arbitrary shell commands via shell metacharact
Multiple directory traversal vulnerabilities in the FileBrowser components in Synology DiskStation Manager (DSM) before
An information exposure vulnerability in index.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remot
Deserialization vulnerability in synophoto_csPhotoMisc.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allo
A vulnerability in synotheme_upload.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 allows remote attackers
Command injection vulnerability in login.php in Synology Photo Station before 6.5.3-3226 allows remote attackers to exec
Directory traversal vulnerability in PixlrEditorHandler.php in Synology Photo Station before 6.7.3-3432 and 6.3-2967 all
Improper access control vulnerability in Synology Router Manager (SRM) before 1.2.4-8081 allows remote attackers to acce
Improper neutralization of special elements used in an OS command ('OS Command Injection') vulnerability in Task Manager
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209956
GHSA-g37m-8w79-wgp5