ZDI 2026-03-16

ZDI-26-187: (Pwn2Own) Synology DiskStation Manager Netatalk Library Buffer Overflow Remote Code Execution Vulnerability

CVE-2022-45188

Machine-generated analysis · WAYSCloud LLM

The vulnerability affects Synology DiskStation Manager's Netatalk library and permits remote code execution without authentication.

Context

Synology DiskStation Manager is affected through its Netatalk library. The vulnerability is a buffer overflow that enables remote code execution. Authentication is not required to exploit the vulnerability. The ZDI assigned a CVSS rating of 9.8, indicating high severity according to their scoring.

Operator considerations

- Check: Inventory Synology DiskStation Manager instances using the Netatalk library.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Synology DiskStation Manager. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2022-45188.

Read the full advisory on ZDI →