CVE-2024-45538

CVE-2024-45538 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the WebAPI Framework of Synology DiskStation Manager (DSM) versions before 7.2.1-69057-2 and 7.2.2-72806, and Synology Unified Controller (DSMUC) versions before 3.1.4-23079. Published on 2025-12-04, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). The issue enables remote attackers to execute arbitrary code through unspecified vectors.

Remote unauthenticated attackers can exploit this vulnerability by crafting malicious web pages or links that induce authenticated users to perform unintended actions on affected Synology devices. Exploitation requires user interaction, such as visiting a malicious site, but needs no privileges from the attacker. Successful attacks result in arbitrary code execution with high confidentiality, integrity, and availability impacts, potentially compromising the entire system due to the changed scope.

Synology's security advisory Synology_SA_24_27, available at https://www.synology.com/en-global/security/advisory/Synology_SA_24_27, details mitigation through updates to DSM 7.2.1-69057-2, DSM 7.2.2-72806, or DSMUC 3.1.4-23079 and later. Security practitioners should prioritize patching affected systems and advise users to avoid untrusted links.