Critical Synology DSM Vulnerability Enables Remote Command Execution

Severity: High (Score: 72.9)

Sources: Cybersecuritynews, Gbhackers

Summary

Synology has released an urgent security update for its DiskStation Manager (DSM) software to address a critical vulnerability, CVE-2026-32746, which could allow unauthenticated remote attackers to execute arbitrary commands on affected NAS devices. This vulnerability, tracked under security advisory Synology-SA-26:03, has a maximum CVSS v3 score of 9.8, indicating a severe risk to users. The flaw originates from a buffer overflow in the telnetd service of the GNU Inetutils package, affecting software versions up to 2.7. If exploited, attackers could deploy ransomware, steal sensitive data, or use compromised devices to attack other systems on the network. Synology recommends that administrators apply the latest firmware updates immediately and disable the Telnet service as a temporary workaround. While patches are available for the main DSM product line, some specialized systems are still awaiting fixes. The vulnerability was published on March 13, 2026, with the first proof of concept appearing on March 18, 2026. Key Points: • CVE-2026-32746 allows remote command execution on Synology NAS devices. • The vulnerability has a CVSS score of 9.8, indicating critical severity. • Administrators are urged to apply patches and disable Telnet to mitigate risks.

Key Entities

• Zero-day Exploit (attack_type)
• CVE-2026-32746 (cve)
• Kiss Loader (malware)
• Torg Grabber (malware)
• BeeStation OS (platform)
• DiskStation Manager (platform)
• Vs600hd (platform)
• Windows (platform)