Cyber Resilience

CVE-2022-43931

Critical

Published: 03 January 2023

Published
03 January 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0392 88.6th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-43931 is a critical-severity an unspecified weakness vulnerability in Synology Vpn Plus Server. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 11.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The vulnerability CVE-2022-43931 is an out-of-bounds write in the Remote Desktop Functionality of Synology VPN Plus Server versions prior to 1.4.3-0534 and 1.4.4-0635. This affects the VPN Plus Server package running on Synology NAS devices and carries a CVSS 3.1 score of 10.0 due to its unauthenticated network exposure and full impact on confidentiality, integrity, and availability.

Remote attackers can exploit the flaw without credentials or user interaction to execute arbitrary commands on the target system through unspecified vectors in the remote desktop component. Successful exploitation grants attackers full control over the affected device, potentially allowing lateral movement or persistence within the network.

Synology addresses the issue in advisory Synology_SA_22_26 by releasing patched versions of VPN Plus Server and urging immediate updates for all exposed installations.

The EPSS score rose materially from a low starting point to a peak of 0.2409 on 2025-12-11 before receding to the current value of 0.0392, signaling that exploitation interest emerged after disclosure and that the CVE warrants renewed attention.

EU & UK References

Vulnerability details

Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

synology
vpn plus server
≤ 1.4.3-0534 · ≤ 1.4.4-0635

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References