Description
A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential.
Published: 2026-06-03
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Synology Note Station Client users may have their login credentials exposed when the client transmits data in cleartext. The flaw, identified as CWE‑319, permits an attacker positioned between the client and server to capture authentication details before they reach the backend. This jeopardizes the confidentiality of all user sessions and can lead to full account compromise if no additional safeguards are in place.

Affected Systems

The vulnerability affects Synology Note Station Client versions prior to 2.2.4‑703. Any installation of the client on endpoints that communicate over unsecured channels is susceptible. Synology’s official release notes indicate that the issue was fixed in the 2.2.4‑703 build; no other affected products are listed.

Risk and Exploitability

The CVSS score of 5.9 signals moderate severity, and the lack of an EPSS rating suggests limited publicly visible exploitation data. Because the attack requires a man‑in‑the‑middle position to intercept cleartext traffic, the risk is contingent on network exposure. The vulnerability is not in CISA’s KEV catalog, indicating no confirmed widespread attacks yet, but the medium CVSS and possibility of credential leakage warrant prompt action.

Generated by OpenCVE AI on June 3, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Synology Note Station Client to version 2.2.4‑703 or newer, where the cleartext transmission is fixed.
  • If an upgrade is not immediately feasible, enforce encrypted communication by connecting the client through a VPN or ensuring the server supports TLS and configuring the client to use it.
  • Consider rotating account passwords and enable two‑factor authentication where possible to reduce the impact of any captured credentials.

Generated by OpenCVE AI on June 3, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Cleartext Transmission Vulnerability in Synology Note Station Client Allows MITM Credential Theft

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Description A cleartext transmission of sensitive information vulnerability in Synology Note Station Client before 2.2.4-703 allows man-in-the-middle attackers to obtain user credential.
Weaknesses CWE-319
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: synology

Published:

Updated: 2026-06-03T15:44:24.852Z

Reserved: 2024-09-24T08:35:52.122Z

Link: CVE-2023-52951

cve-icon Vulnrichment

Updated: 2026-06-03T15:44:21.561Z

cve-icon NVD

Status : Received

Published: 2026-06-03T14:16:25.870

Modified: 2026-06-03T14:16:25.870

Link: CVE-2023-52951

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T15:30:26Z

Weaknesses