CVE-2026-3091
📋 TL;DR
This vulnerability allows local attackers to execute arbitrary code or access sensitive files by placing a malicious DLL in the same directory as the Synology Presto Client installer. It affects users running vulnerable versions of Synology Presto Client on Windows systems. Attackers must have local access to the target system to exploit this flaw.
💻 Affected Systems
- Synology Presto Client
📦 What is this software?
Presto Client by Synology
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution with installer privileges, potentially leading to data theft, ransomware deployment, or persistent backdoor installation.
Likely Case
Local privilege escalation allowing attackers to read sensitive files, modify system configurations, or install additional malware.
If Mitigated
Limited impact if proper access controls prevent unauthorized local users from placing files in installer directories.
🎯 Exploit Status
Exploitation requires local access to place DLL and knowledge of installer execution timing. No public exploit code identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.3-0672 and later
Vendor Advisory: https://www.synology.com/en-global/security/advisory/Synology_SA_26_02
Restart Required: No
Instructions:
1. Download latest Presto Client from Synology website. 2. Uninstall current version. 3. Install updated version 2.1.3-0672 or later. 4. Verify installation completes successfully.
🔧 Temporary Workarounds
Restrict installer directory permissions
windowsSet strict permissions on directories where installers are executed to prevent unauthorized DLL placement
icacls "C:\Path\To\Installer\Directory" /deny Users:(OI)(CI)W
Use signed DLL enforcement
windowsConfigure Windows to only load signed DLLs where possible
🧯 If You Can't Patch
- Restrict local user access to systems running vulnerable Presto Client
- Monitor for DLL planting in installer directories and block installer execution from untrusted locations
🔍 How to Verify
Check if Vulnerable:
Check Presto Client version in Control Panel > Programs and Features. If version is earlier than 2.1.3-0672, system is vulnerable.Check Version:
wmic product where name="Synology Presto Client" get versionVerify Fix Applied:
Verify installed version is 2.1.3-0672 or later. Test that installer runs without loading external DLLs from current directory.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing DLL loading from installer directories
- Process Monitor logs showing DLL hijacking attempts
Network Indicators:
- Unusual outbound connections following installer execution
- DNS queries to suspicious domains after Presto Client installation
SIEM Query:
EventID=7 OR EventID=11 AND ProcessName LIKE '%presto%' AND ImageLoaded LIKE '%.dll' AND NOT ImageLoaded LIKE '%system32%'