Using a Synology NAS? Patch this MITM vulnerability now

Lock
(Image credit: Shutterstock)

Clients of popular network-attached storage (NAS) appliance vendor Synology were briefly exposed to a man-in-the-middle (MITM) attack, the company has revealed.

Synology identified an improper certificate validation vulnerability in the OpenVPN client of their Synology Router Manager (SRM) as the culprit.

Due to this vulnerability, unscrupulous agents could’ve obtained sensitive login credentials from users by crafting and inserting a fake SSL certificate. 

To its credit, Synology was quick to issue an update to eliminate the threat - with the Talos Vulnerability Report on the issue explaining in more detail. 

According to the report, there was an information disclosure vulnerability in the QuickConnect authentication function of the SRM. This meant attackers were in a position to exploit this flaw and impersonate as a valid remote VPN endpoint. 

This would cause unsuspecting users to provide the attackers with their VPN credentials. Attackers could then use this information to impersonate the remote client and in turn obtain the router’s credentials as well.

The report also states that an attacker could perform a man-in-the-middle attack to trigger this vulnerability.

All’s well that ends well

Synology was quick to flag this vulnerability, which affects SRM versions prior to v1.2.4-8081, as severe.   

Soon afterwards the company fixed the issue by releasing an update to the SRM. The company advises all its users to update to v1.2.4-8081. 

We’d like to use this opportunity to remind all our readers to keep all their software updated. Most applications can update themselves automatically by default. 

If you’ve decided to override this behaviour, and prefer to install updates manually, keep your eyes peeled for any security updates and switch to them as soon as they are available.  

Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Latest in Security
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Ransomware
Cl0p resurgence drives ransomware attacks to new highs in 2025
Google Chrome
Google Chrome security flaw could have let hackers spy on all your online habits
cybersecurity
Chinese government hackers allegedly spent years undetected in foreign phone networks
Data leak
A major Keenetic router data leak could put a million households at risk
Latest in News
A young woman is working on a laptop in a relaxed office space.
I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards
inZOI promotional material.
inZOI has become the most wishlisted game on Steam, but I wouldn't get too caught up in the hype
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Nespresso Vertuo Pop machine in Candy Pink with coffee drinks and capsules
My favorite Nespresso coffee maker just got a fresh new makeover, and now I love it even more
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC