Login Sign Up

CVE-2021-26560

9.0 CRITICAL

📋 TL;DR

CVE-2021-26560 allows man-in-the-middle attackers to intercept and spoof servers during HTTP sessions with synoagentregisterd in Synology DSM. This cleartext transmission vulnerability affects Synology DiskStation Manager users before version 6.2.3-25426-3.

💻 Affected Systems

Products:
  • Synology DiskStation Manager
Versions: All versions before 6.2.3-25426-3
Operating Systems: Synology DSM
Default Config Vulnerable: ⚠️ Yes
Notes: Affects synoagentregisterd service which handles agent registration communications.

📦 What is this software?

Diskstation Manager by Synology

View all CVEs affecting Diskstation Manager →

Diskstation Manager Unified Controller by Synology

View all CVEs affecting Diskstation Manager Unified Controller →

Skynas Firmware by Synology

View all CVEs affecting Skynas Firmware →

Vs960hd Firmware by Synology

View all CVEs affecting Vs960hd Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could intercept sensitive information, spoof legitimate servers, and potentially gain unauthorized access to the DiskStation management system.

🟠

Likely Case

Information disclosure and server spoofing in environments where attackers can intercept network traffic between clients and the DiskStation.

🟢

If Mitigated

Limited impact with proper network segmentation, TLS enforcement, and updated systems.

🌐 Internet-Facing: HIGH - Direct internet exposure allows remote attackers to exploit this without network access.
🏢 Internal Only: MEDIUM - Requires attacker presence on internal network but still significant for lateral movement.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW - Requires network interception capability but no authentication.

Exploitation requires man-in-the-middle position in network path.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: DSM 6.2.3-25426-3 and later

Vendor Advisory: https://www.synology.com/security/advisory/Synology_SA_20_26

Restart Required: Yes

Instructions:

1. Log into DSM web interface. 2. Navigate to Control Panel > Update & Restore. 3. Click 'Download' for available updates. 4. Click 'Install' when download completes. 5. System will restart automatically.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate DiskStation from untrusted networks and limit access to trusted IPs only.

VPN Enforcement

all

Require VPN for all remote access to DiskStation management interface.

🧯 If You Can't Patch

  • Implement strict network access controls to limit exposure
  • Monitor for unusual network traffic patterns and authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check DSM version in Control Panel > Info Center > DSM version. If version is below 6.2.3-25426-3, system is vulnerable.

Check Version:

ssh admin@diskstation 'cat /etc.defaults/VERSION'

Verify Fix Applied:

Verify DSM version is 6.2.3-25426-3 or higher after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication patterns
  • Multiple failed registration attempts
  • Unexpected source IPs accessing synoagentregisterd

Network Indicators:

  • Cleartext HTTP traffic to DiskStation on registration ports
  • Unencrypted agent registration communications

SIEM Query:

source="synology" AND (event="authentication_failure" OR event="registration_failure")

📊 Metadata

CVE ID: CVE-2021-26560
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-319
Published: February 26, 2021
Last Updated: January 14, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-26560, you might also want to check these:

CVE-2023-33730 9.8

CVE-2023-33730 is a critical privilege escalation vulnerability in Microworld Technologies eScan Man...

Same vulnerability type (CWE-319)
CVE-2022-21829 9.8

This vulnerability in Concrete CMS allows authenticated high-privilege users to download zip files o...

Same vulnerability type (CWE-319)
CVE-2020-5426 9.8

CVE-2020-5426 allows attackers to intercept UAA client tokens transmitted in plaintext over non-TLS ...

Same vulnerability type (CWE-319)