Cyber Posture

CVE-2021-47961

High

Published: 10 April 2026

Published
10 April 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0004 13.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2021-47961 is a high-severity Plaintext Storage of a Password (CWE-256) vulnerability in Synology SSL VPN (inferred from references). Its CVSS base score is 8.1 (High).

Operationally, ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SC-28 (Protection of Information at Rest).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-28 Protection of Information at Rest good match
prevent

Requires cryptographic mechanisms to protect sensitive information like PIN codes at rest, directly preventing plaintext storage exploitation.

IA-5 Authenticator Management good match
prevent

Mandates secure management and protection of authenticators such as PIN codes, addressing insecure storage of VPN credentials.

SI-2 Flaw Remediation good match
prevent

Requires timely flaw remediation including patching Synology SSL VPN Client to version 1.4.5-0684 or later to fix the plaintext storage vulnerability.

NVD Description

A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of…

more

subsequent VPN traffic when combined with user interaction.

Deeper analysisAI

CVE-2021-47961 is a plaintext storage of a password vulnerability (CWE-256) in Synology SSL VPN Client versions before 1.4.5-0684. The flaw stems from insecure storage that exposes the user's PIN code to remote attackers, who can access or influence it.

Remote attackers can exploit this over the network with low attack complexity, no privileges, and user interaction required, as indicated by the CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). Exploitation allows high-impact confidentiality and integrity violations, such as unauthorized VPN configuration and potential interception of subsequent VPN traffic when paired with user interaction.

Synology's security advisory (https://www.synology.com/en-global/security/advisory/Synology_SA_26_05) details mitigation, recommending an update to Synology SSL VPN Client version 1.4.5-0684 or later to address the insecure storage issue.

Details

CWE(s)
CWE-256

Affected Products

Synology
SSL VPN
inferred from references and description; NVD did not file a CPE for this CVE

CVEs Like This One

CVE-2025-27656Shared CWE-256
CVE-2026-33216Shared CWE-256
CVE-2024-55026Shared CWE-256
CVE-2026-35556Shared CWE-256
CVE-2025-27662Shared CWE-256
CVE-2025-36258Shared CWE-256
CVE-2026-21417Shared CWE-256
CVE-2024-41336Shared CWE-256
CVE-2024-10334Shared CWE-256
CVE-2026-21660Shared CWE-256

References