CVE-2024-10444

CVE-2024-10444 is an improper certificate validation vulnerability (CWE-295) affecting the LDAP utilities in Synology DiskStation Manager (DSM) versions prior to 7.1.1-42962-8, 7.2.1-69057-7, and 7.2.2-72806-3. This flaw enables man-in-the-middle (MITM) attackers to hijack administrator authentication through unspecified vectors, as disclosed on March 19, 2025. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high potential impact on confidentiality, integrity, and availability.

The attack requires a network-accessible position for MITM interception, high attack complexity, no user privileges, and user interaction, such as an administrator triggering the vulnerable LDAP operation. Successful exploitation allows attackers to impersonate administrators, potentially granting unauthorized access to DSM administrative functions and compromising the entire DiskStation system.

Synology's security advisory (Synology_SA_25_01) details the issue and recommends updating to DSM 7.1.1-42962-8, 7.2.1-69057-7, or 7.2.2-72806-3, or later, to mitigate the vulnerability by addressing the certificate validation flaw in LDAP utilities.