Synology-SA-25:14 DSM (PWN2OWN 2025)
Publish Time: UTC+8
Last Updated: UTC+8
- Severity
- Important
- Status
- Resolved
Abstract
Synology has released a security update for the DSM to address ZDI-CAN-28409 :
- CVE-2025-13392 allows remote attackers to bypass authentication with prior knowledge of the distinguished name (DN).
Please refer to the 'Affected Products' table for the corresponding updates.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| DSM 7.3 | Important | Upgrade to 7.3.1-86003-1 or above. |
| DSM 7.2.2 | Important | Upgrade to 7.2.2-72806-5 or above. |
| DSM 7.2.1 | Not affected | N/A |
Mitigation
None
Detail
- CVE-2025-13392
- Severity: Important
- CVSS3 Base Score: 8.1
- CVSS3 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- CWE-754: Improper Check for Unusual or Exceptional Conditions
- ** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Acknowledgement
Le Trong Phuc (chanze@VRC) and Cao Ngoc Quy (Chino Kafuu)
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2025-11-19 | Initial public release. |