New Admin Takeover Vulnerability Exposed in Synology’s DiskStation Manager


A medium-severity flaw has been discovered in Synology’s DiskStation Manager (DSM) that could be exploited to decipher an administrator’s password and remotely hijack the account.

“Under some rare conditions, an attacker could leak enough information to restore the seed of the pseudorandom number generator (PRNG), reconstruct the admin password, and remotely take over the admin account,” Claroty’s Sharon Brizinov said in a Tuesday report.

The flaw, assigned the identifier CVE-2023-2729, is rated 5.9 for severity on the CVSS scoring scale. The flaw was addressed by Synology as part of updates released in June 2023.

Read more…