Synology C2 Identity Edge Server’s DSM package contains an exposed dangerous method that allows a remote attacker to retrieve stored user credentials. The vulnerability is a representation of a “Dangerous Method or Function” flaw and is classified as CWE‑749. An attacker who can reach the exposed API can download full credential data, likely including passwords or other authentication tokens, undermining both confidentiality and integrity of user identities.

Any Synology C2 Identity Edge Server running DSM prior to version 1.76.0-0307 is affected. The vulnerability resides in the C2 Identity Edge Server package and affects all installations on that platform with the specified older package version.

The CVSS score of 7.5 indicates a high severity, reflecting the significant damage a successful exploitation could cause. Although the EPSS score is not available, the vulnerability’s remote nature and ability to expose credentials mean that exploitation is plausible, especially in environments where the edge server is exposed to potential attackers. The vulnerability is not currently listed in CISA’s KEV catalog, but that does not diminish its inherent risk. The likely attack vector is remote, achieved via the exposed method or function accessed over the network, with no local privilege escalation needed.