Description
An origin validation error vulnerability in Synology Assistant before 7.0.6-50085 allows local users to write arbitrary files with restricted content during installation.
Published: 2026-05-27
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An origin validation error in Synology Assistant before version 7.0.6‑50085 allows a local user to write arbitrary files with restricted content during the installation process. The flaw effectively bypasses the expected origin checks and permits unauthorized creation or modification of critical files, which could be leveraged to alter system configuration or drop malicious payloads. The impact is confined to the local system where the installation occurs, potentially leading to unauthorized code execution or data integrity violations for that user or the device as a whole.

Affected Systems

Synology Assistant running on Synology NAS devices, any release prior to 7.0.6‑50085. The vulnerability affects the assistant component that handles software installation and package deployment, and it requires a user with local administrative or installation privileges.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. EPSS data is not available, and the vulnerability is not listed in CISA KEV, suggesting limited known exploitation. The attack vector is local; an adversary needs a legitimate local account and must trigger the installation routine. Because the flaw allows writing arbitrary files during installation, an attacker could inject malicious configuration or executable files that the Synology Assistant later processes, potentially leading to denial of service or elevation of privileges on the affected device.

Generated by OpenCVE AI on May 27, 2026 at 10:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Synology Assistant version 7.0.6‑50085 or newer to apply the vendor fix.
  • Restrict local user permissions so that only trusted administrators can perform software installations and system configuration changes.
  • Enable or enforce package signature verification to ensure that only signed, trusted installation packages are accepted by Synology Assistant.

Generated by OpenCVE AI on May 27, 2026 at 10:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:45:00 +0000

Type Values Removed Values Added
Title Local User Arbitrary File Write via Origin Validation Error in Synology Assistant

Wed, 27 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description An origin validation error vulnerability in Synology Assistant before 7.0.6-50085 allows local users to write arbitrary files with restricted content during installation.
Weaknesses CWE-346
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: synology

Published:

Updated: 2026-05-27T12:15:15.534Z

Reserved: 2025-12-05T03:19:16.761Z

Link: CVE-2025-66593

cve-icon Vulnrichment

Updated: 2026-05-27T12:14:26.762Z

cve-icon NVD

Status : Received

Published: 2026-05-27T09:16:27.760

Modified: 2026-05-27T09:16:27.760

Link: CVE-2025-66593

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:30:28Z

Weaknesses