Description
A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of subsequent VPN traffic when combined with user interaction.
Published: 2026-04-10
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized VPN configuration and potential traffic interception
Action: Patch Immediately
AI Analysis

Impact

An insecure storage mechanism in Synology SSL VPN Client versions before 1.4.5‑0684 records the user’s PIN in plain text. This weakness allows an attacker to read or modify the PIN, which can in turn enable unauthorized configuration of the VPN or compromise the integrity of subsequent VPN traffic. The flaw is a password storage vulnerability, identified as CWE‑256.

Affected Systems

Synology SSL VPN Client, all releases earlier than 1.4.5‑0684.

Risk and Exploitability

The CVSS score of 8.1 signals high severity. No EPSS data or KEV listing indicates that widespread exploitation has not yet been observed, although the vulnerability remains theoretically exploitable. Achieving the attack likely requires the attacker to gain access to the client on the user’s machine, such as through malicious software or local privilege escalation, to read or alter the stored PIN. Once the PIN is compromised, an attacker can configure the VPN or trick the user into accepting changes, which may allow interception or tampering of VPN traffic.

Generated by OpenCVE AI on April 10, 2026 at 10:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Synology SSL VPN Client to version 1.4.5‑0684 or later

Generated by OpenCVE AI on April 10, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Title Plaintext Password Storage in Synology SSL VPN Client Enabling Unauthorized VPN Configuration

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Synology
Synology ssl Vpn Client
Vendors & Products Synology
Synology ssl Vpn Client

Fri, 10 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
Description A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of subsequent VPN traffic when combined with user interaction.
Weaknesses CWE-256
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Synology Ssl Vpn Client
cve-icon MITRE

Status: PUBLISHED

Assigner: synology

Published:

Updated: 2026-04-10T12:42:56.656Z

Reserved: 2026-04-10T06:29:38.695Z

Link: CVE-2021-47961

cve-icon Vulnrichment

Updated: 2026-04-10T12:42:53.753Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-10T10:16:03.913

Modified: 2026-04-13T15:02:06.187

Link: CVE-2021-47961

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:06:11Z

Weaknesses