Synology DiskStation Manager Vulnerability Allow Remote Attackers to Execute Arbitrary Commands

A critical security advisory has been issued for a severe vulnerability in DiskStation Manager (DSM) that allows unauthenticated remote attackers to execute arbitrary commands.

Given the widespread use of Synology network-attached storage (NAS) systems for enterprise backups and data management, network administrators are strongly urged to apply the available patches immediately.

Tracked as CVE-2026-32746, the vulnerability carries a near-maximum CVSSv3 base score of 9.8, categorizing it as a critical threat.

The core issue originates from the telnetd daemon within the GNU Inetutils package, specifically affecting versions up to 2.7. The security defect is classified as a classic buffer overflow (CWE-120).

During an active network session, the LINEMODE SLC (Set Local Characters) suboption handler processes inputs improperly because the add_slc function fails to check whether the buffer is already full.

This oversight leads to a dangerous out-of-bounds write. By exploiting this memory corruption, a threat actor can bypass authentication entirely and execute malicious commands directly on the host system.

NAS devices remain highly valuable targets for ransomware operators and data extortion groups. Because these systems often house sensitive corporate data and critical backups, any remote command-execution vulnerability poses a significant organizational risk.

An unauthenticated compromise could allow threat actors to deploy ransomware payloads, exfiltrate confidential files, or establish persistent backdoors within the internal network before security teams even detect an intrusion.

Affected Products and Patches

Synology has confirmed that the vulnerability critically impacts multiple versions of DSM and DSMUC. Synology have released firmware upgrades for the most affected operating systems to address the flaw. Administrators running DSM 7.3 must upgrade to version 7.3.2-86009-3 or newer.

Those utilizing DSM 7.2.2 need to update to version 7.2.2-72806-8 or later, while systems on DSM 7.2.1 require an upgrade to 7.2.1-69057-11 or above. For DSMUC 3.1, a critical security patch remains under active development.

Meanwhile, other enterprise products, including BeeStation OS 1.4, SRM 1.3, and VS600HD 1.2, are completely unaffected by this specific GNU Inetutils vulnerability.

For administrators managing systems with a pending patch, such as DSMUC 3.1, Synology strongly recommends applying an immediate temporary mitigation.

Because the vulnerability specifically requires access to the Telnet protocol, turning off the Telnet service entirely neutralizes the risk of remote exploitation.

Administrators can secure their devices by navigating to the Control Panel, accessing the Terminal settings, unchecking the “Enable Telnet service” option, and clicking Apply.

Since Telnet transmits data in plaintext and is widely considered an outdated protocol, permanently disabling it aligns with modern cybersecurity best practices.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.