Synology routers’ VPN software is again vulnerable to hacking. Synology has already shared a patch that can be used to close the back gate again.

It’s on tour with Synology this year. After the manufacturer had to publish an emergency patch in January to close a serious vulnerability in its routers, it’s that time again today. Like five months ago, the VPN software on the router is to blame. Attackers can inject remote SQL code to manipulate files. Synology itself rates the vulnerability as average, but the Germans rate the vulnerability as critical with a CVSS score of 9.1.

Fast update (if possible)

Synology does not provide any further details on what exactly is hidden behind the opened back door. It is clear that all versions of Synology Router Manager are vulnerable. Users running SRM 1.3 can immediately patch the vulnerable VPN Plus server. From version 1.4.6-0685 you can sleep peacefully again.

If your router is still running SRM 1.2, you have cause for concern. In this case, Synology does not yet have a patch for the VPN Plus server, nor does it share tactics to mitigate attacks. Disabling the VPN Plus server seems essential to us. After updating to SRM 1.3 you can install the patch, so we think that’s an interesting way.

Powerful but fragile software

Synology wants to appeal to companies with its routers and therefore provides the devices with a very clear and powerful operating system that is equipped with advanced functions. The built-in VPN server is a great advantage, at least in theory. With two critical vulnerabilities in less than six months, Synology shows that IT administrators should react quickly if they want to use the manufacturer’s hardware and software in a professional environment.