Hello fellow Synology admins,
I recently stumbled upon this advisory by Synology for their vulnerability CVE-2022-45188 that is considered a RCE (remote-code-exploitation) that leverages a bug in Synology’s quickconnect feature.
Luckily for us, according to Synology’s website [1|, this bug has already been fixed in the latest Synology patch.
If you haven’t applied it yet, I highly recommend that you apply it asap.
In case you’re curious and want to know more about this set of vulnerabilities, I recommend this further reading the report [2] by the company Claroty who have disclosed these vulnerabilities and have reported them to Synology.
cheers,
Theresa
[1] - Synology’s advisory - https://www.synology.com/en-global/security/advisory/Synology_SA_22_23
[2] - Claroty’s documentation on the vulnerability - Exploiting Cloud Connectivity to PWN your NAS: Synology DS920 | Claroty