The flaw, tracked as CVE-2025-1021, was rated “Important” and affected multiple DSM versions, prompting urgent patch releases and advisories for all users.
The vulnerability stemmed from a missing authorization check in the synocopy component of DSM, specifically impacting writable NFS services.
This flaw allowed unauthenticated remote attackers to read arbitrary files on affected Synology NAS devices without needing user interaction or credentials.
As a result, sensitive data—including personal files and business documents—could be exposed to unauthorized parties.
The Common Vulnerability Scoring System (CVSS v3.1) assigned this issue a base score of 7.5, reflecting its seriousness.
The attack vector was network-based, with low complexity and no privileges required, making exploitation feasible for remote threat actors.
The vulnerability was responsibly disclosed by the DEVCORE Research Team, and Synology responded promptly with patches.
The table below summarizes the affected DSM versions and the corresponding fixed releases:
| Product | Severity | Fixed Release Version |
|---|---|---|
| DSM 7.2.2 | Important | 7.2.2-72806-3 or above |
| DSM 7.2.1 | Important | 7.2.1-69057-7 or above |
| DSM 7.1 | Important | 7.1.1-42962-8 or above |
Synology strongly urges all users of the affected DSM versions to upgrade immediately to the specified fixed releases or later.
There are no alternative mitigation strategies available; applying the update is the only way to secure vulnerable systems.
The vulnerability was first publicly disclosed on February 26, 2025, with full technical details released on April 23, 2025, after patches were made available.
Synology’s coordinated response with security researchers helped minimize the potential impact of the flaw, but the incident highlights the ongoing importance of timely updates and vigilant monitoring of NAS devices—especially those using network file systems.
This case underscores the critical role of regular software updates and proactive security practices for both home and enterprise NAS environments.
| Aspect | Details |
|---|---|
| Vulnerability ID | CVE-2025-1021 |
| Component | synocopy (NFS Service) |
| Severity | Important |
| CVSS v3.1 Score | 7.5 |
| Attack Vector | Network, no authentication required |
| Disclosure Date | 2025-02-26 (initial), 2025-04-23 (full) |
| Reporter | DEVCORE Research Team |
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
The post Synology NFS Vulnerability Allows Unauthorized File Access appeared first on Cyber Security News.
Why is this outdoor kitchen? | Image: Sonos An unannounced Sonos speaker called Play has…
In the midst of potential acquisition chaos, Warner Bros. has also been spinning deals with…
In a statement on X, Kalshi CEO Tarek Mansour said his company would pay out…
While things may be a little up in the air for Warner Bros., we know…
New Hampshire Free Staters will be taking a victory lap in Concord this week at…
On Election Day, Dunbarton residents will weigh whether to change the traditional format of their…
This website uses cookies.