CVE-2021-29087 – This path traversal vulnerability in Synology D... (How to Fix)

Q: What is the severity of CVE-2021-29087?

CVE-2021-29087 has a CVSS score of 7.5 (HIGH). This path traversal vulnerability in Synology DiskStation Manager's webapi component allows remote attackers to write arbitrary files to restricted directories. It affects Synology DSM versions before 6.2.3-25426-3, potentially enabling attackers to modify system files or upload malicious content.

📋 TL;DR

This path traversal vulnerability in Synology DiskStation Manager's webapi component allows remote attackers to write arbitrary files to restricted directories. It affects Synology DSM versions before 6.2.3-25426-3, potentially enabling attackers to modify system files or upload malicious content.

💻 Affected Systems

Products:

Synology DiskStation Manager (DSM)

Versions: All versions before 6.2.3-25426-3

Operating Systems: Synology DSM

Default Config Vulnerable: ⚠️ Yes

Notes: Affects webapi component specifically; requires web interface access.

📦 What is this software?

Diskstation Manager by Synology

View all CVEs affecting Diskstation Manager →

Diskstation Manager Unified Controller by Synology

View all CVEs affecting Diskstation Manager Unified Controller →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through arbitrary file write leading to remote code execution, data theft, or ransomware deployment.

🟠

Likely Case

Unauthorized file modification, configuration changes, or malware upload to the NAS system.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent exploitation attempts.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Vectors unspecified in advisory; requires web access but authentication status unclear.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: DSM 6.2.3-25426-3 and later

Vendor Advisory: https://www.synology.com/security/advisory/Synology_SA_20_26

Restart Required: Yes

Instructions:

1. Log into DSM web interface. 2. Go to Control Panel > Update & Restore. 3. Click 'Download DSM Update' if available. 4. Click 'Install Now' for DSM 6.2.3-25426-3 or later. 5. System will restart automatically.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict access to DSM web interface to trusted networks only

Firewall Rules

all

Block external access to DSM web ports (default 5000/5001)

🧯 If You Can't Patch

Isolate Synology device on separate VLAN with strict access controls
Implement web application firewall (WAF) with path traversal protection rules

🔍 How to Verify

Check if Vulnerable:

Check DSM version in Control Panel > Info Center > DSM version

Check Version:

ssh admin@synology 'cat /etc.defaults/VERSION'

Verify Fix Applied:

Verify DSM version is 6.2.3-25426-3 or later after update

📡 Detection & Monitoring

Log Indicators:

Unusual file write operations in webapi logs
Path traversal patterns in web access logs

Network Indicators:

HTTP requests with directory traversal sequences (../, ..\) to webapi endpoints

SIEM Query:

source="dsm_logs" AND ("..\" OR "../" OR "%2e%2e") AND "webapi"

📊 Metadata

CVE ID: CVE-2021-29087

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-22

Published: June 23, 2021

Last Updated: January 14, 2025

🔗 References

https://www.synology.com/security/advisory/Synology_SA_20_26 Vendor Advisory
https://www.synology.com/security/advisory/Synology_SA_20_26 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-29087, you might also want to check these: