CVE-2021-47961
Published: 10 April 2026
Summary
CVE-2021-47961 is a high-severity Plaintext Storage of a Password (CWE-256) vulnerability in Synology Ssl Vpn Client. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-28 (Protection of Information at Rest).
Deeper analysis
CVE-2021-47961 is a plaintext storage of a password vulnerability (CWE-256) in Synology SSL VPN Client versions before 1.4.5-0684. The flaw stems from insecure storage that exposes the user's PIN code to remote attackers, who can access or influence it.
Remote attackers can exploit this over the network with low attack complexity, no privileges, and user interaction required, as indicated by the CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). Exploitation allows high-impact confidentiality and integrity violations, such as unauthorized VPN configuration and potential interception of subsequent VPN traffic when paired with user interaction.
Synology's security advisory (https://www.synology.com/en-global/security/advisory/Synology_SA_26_05) details mitigation, recommending an update to Synology SSL VPN Client version 1.4.5-0684 or later to address the insecure storage issue.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-34779
Vulnerability details
A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of…
more
subsequent VPN traffic when combined with user interaction.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct match to insecure plaintext credential storage (CWE-256) enabling credential theft from client files/config.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires cryptographic mechanisms to protect sensitive information like PIN codes at rest, directly preventing plaintext storage exploitation.
Mandates secure management and protection of authenticators such as PIN codes, addressing insecure storage of VPN credentials.
Requires timely flaw remediation including patching Synology SSL VPN Client to version 1.4.5-0684 or later to fix the plaintext storage vulnerability.