Description
Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected) allows remote attackers to bypass authentication with prior knowledge of the distinguished name (DN).
Published: 2026-05-27
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability involves an improper check for unusual or exceptional conditions in the single sign-on (SSO) flow of Synology DiskStation Manager. Attackers who already know a valid distinguished name (DN) can bypass authentication, granting them unauthorized access to the device's management interface. This leads to full compromise of confidentiality, integrity, and availability of the affected DSM installation.

Affected Systems

Synology DiskStation Manager (DSM) versions prior to 7.2.2‑72806‑5 and 7.3.1‑86003‑1 are affected. The 7.2.1‑69057 release is not impacted. The issue resides in the SSO component of DSM.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, but the EPSS score is not available, suggesting limited data on current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. The attack vector is remote, likely over the network via the SSO endpoints. Attackers require knowledge of a DN but no additional privileges. If exploited, the attacker would gain full administrative control of the DSM device.

Generated by OpenCVE AI on May 27, 2026 at 10:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update DSM to the patched releases 7.2.2‑72806‑5 or newer, or 7.3.1‑86003‑1 or newer.
  • If an update is not feasible, disable the SSO feature or restrict SSO to trusted networks.
  • Monitor authentication logs for unexpected DN usage and enforce strong password policies.

Generated by OpenCVE AI on May 27, 2026 at 10:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:45:00 +0000

Type Values Removed Values Added
Title Remote Authentication Bypass via SSO in Synology DSM

Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description Improper check for unusual or exceptional conditions vulnerability in SSO in Synology DiskStation Manager (DSM) before 7.2.2-72806-5 and 7.3.1-86003-1 (7.2.1-69057 is not affected) allows remote attackers to bypass authentication with prior knowledge of the distinguished name (DN).
Weaknesses CWE-754
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: synology

Published:

Updated: 2026-05-27T13:44:34.268Z

Reserved: 2025-11-19T00:37:57.748Z

Link: CVE-2025-13392

cve-icon Vulnrichment

Updated: 2026-05-27T13:44:30.948Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T09:16:26.607

Modified: 2026-05-27T14:54:20.160

Link: CVE-2025-13392

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:30:28Z

Weaknesses