CVE-2024-45538
Published: 04 December 2025
Summary
CVE-2024-45538 is a critical-severity CSRF (CWE-352) vulnerability in Synology Diskstation Manager. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses CSRF by requiring mechanisms to protect the authenticity of web communications sessions, such as anti-CSRF tokens, preventing forged requests that execute arbitrary code.
Mandates timely identification, reporting, and correction of flaws like this CSRF vulnerability through vendor patching as specified in Synology_SA_24_27.
Requires validation of HTTP inputs including referer headers and parameters, mitigating CSRF exploitation vectors in the WebAPI framework.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability (CWE-352) in Synology DSM WebAPI enables unauthenticated remote exploitation of a public-facing web application via malicious web pages/links tricking authenticated users, resulting in arbitrary code execution (T1190).
NVD Description
Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors.
Deeper analysisAI
CVE-2024-45538 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the WebAPI Framework of Synology DiskStation Manager (DSM) versions before 7.2.1-69057-2 and 7.2.2-72806, and Synology Unified Controller (DSMUC) versions before 3.1.4-23079. Published on 2025-12-04, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). The issue enables remote attackers to execute arbitrary code through unspecified vectors.
Remote unauthenticated attackers can exploit this vulnerability by crafting malicious web pages or links that induce authenticated users to perform unintended actions on affected Synology devices. Exploitation requires user interaction, such as visiting a malicious site, but needs no privileges from the attacker. Successful attacks result in arbitrary code execution with high confidentiality, integrity, and availability impacts, potentially compromising the entire system due to the changed scope.
Synology's security advisory Synology_SA_24_27, available at https://www.synology.com/en-global/security/advisory/Synology_SA_24_27, details mitigation through updates to DSM 7.2.1-69057-2, DSM 7.2.2-72806, or DSMUC 3.1.4-23079 and later. Security practitioners should prioritize patching affected systems and advise users to avoid untrusted links.
Details
- CWE(s)