CVE-2022-43931
Published: 03 January 2023
Summary
CVE-2022-43931 is a critical-severity an unspecified weakness vulnerability in Synology Vpn Plus Server. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 11.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The vulnerability CVE-2022-43931 is an out-of-bounds write in the Remote Desktop Functionality of Synology VPN Plus Server versions prior to 1.4.3-0534 and 1.4.4-0635. This affects the VPN Plus Server package running on Synology NAS devices and carries a CVSS 3.1 score of 10.0 due to its unauthenticated network exposure and full impact on confidentiality, integrity, and availability.
Remote attackers can exploit the flaw without credentials or user interaction to execute arbitrary commands on the target system through unspecified vectors in the remote desktop component. Successful exploitation grants attackers full control over the affected device, potentially allowing lateral movement or persistence within the network.
Synology addresses the issue in advisory Synology_SA_22_26 by releasing patched versions of VPN Plus Server and urging immediate updates for all exposed installations.
The EPSS score rose materially from a low starting point to a peak of 0.2409 on 2025-12-11 before receding to the current value of 0.0392, signaling that exploitation interest emerged after disclosure and that the CVE warrants renewed attention.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-46901
Vulnerability details
Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.