A critical vulnerability in the VPN Plus Servers that may be used to           remotely take control of systems has been patched by Synology.

   The vulnerability, which is now known as CVE-2022-43931, affects the     remote desktop functionality of Synology VPN Plus Server and has a       top severity score of 10 on the CVSS scale.

  A successful exploit of the weakness, the company continued, “allows remote attackers to conduct arbitrary commands through unknown channels,” and it was discovered by its own Product Security Incident Response Team.

Users of VPN Plus Server for Synology Router Manager (SRM) 1.2 and 1.3 are advised to update to versions 1.4.3-0534 and 1.4.4-0635, respectively.

This is not the first high-severity vulnerability that Synology has had to patch in one of its products; in December 2022, it fixed a number of issues with its Router Manager. According to a statement released at the time by the company, a vulnerable version of Synology Router Manager allowed remote attackers to access arbitrary files, run arbitrary code, or initiate DDoS attacks.

Although no CVEs were published for these weaknesses, we are aware that at least two security experts and teams successfully created a proof-of-concept using the Synology RT6600ax router at the Pwn2Own Toronto 2022 hacking competition. A command injection attack on the WAN interface of the Synology RT6600ax was successfully launched by cybersecurity researcher Gaurav Baruah, who was awarded $20,000.

Applying the most recent patches is essential for VPN Plus Server customers of Synology to safeguard against the critical vulnerability that could result in remote command execution. Given that Synology has previously had to fix serious vulnerabilities in its products, this is very crucial. For the safety and security of your systems, it’s crucial to keep up with security patches and upgrades.