Cyber Resilience

CVE-2024-45538

Critical

Published: 04 December 2025

Published
04 December 2025
Modified
05 December 2025
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0006 19.5th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-45538 is a critical-severity CSRF (CWE-352) vulnerability in Synology Diskstation Manager. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-45538 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, in the WebAPI Framework of Synology DiskStation Manager (DSM) versions before 7.2.1-69057-2 and 7.2.2-72806, and Synology Unified Controller (DSMUC) versions before 3.1.4-23079. Published on 2025-12-04, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). The issue enables remote attackers to execute arbitrary code through unspecified vectors.

Remote unauthenticated attackers can exploit this vulnerability by crafting malicious web pages or links that induce authenticated users to perform unintended actions on affected Synology devices. Exploitation requires user interaction, such as visiting a malicious site, but needs no privileges from the attacker. Successful attacks result in arbitrary code execution with high confidentiality, integrity, and availability impacts, potentially compromising the entire system due to the changed scope.

Synology's security advisory Synology_SA_24_27, available at https://www.synology.com/en-global/security/advisory/Synology_SA_24_27, details mitigation through updates to DSM 7.2.1-69057-2, DSM 7.2.2-72806, or DSMUC 3.1.4-23079 and later. Security practitioners should prioritize patching affected systems and advise users to avoid untrusted links.

EU & UK References

Vulnerability details

Cross-Site Request Forgery (CSRF) vulnerability in WebAPI Framework in Synology DiskStation Manager (DSM) before 7.2.1-69057-2 and 7.2.2-72806 and Synology Unified Controller (DSMUC) before 3.1.4-23079 allows remote attackers to execute arbitrary code via unspecified vectors.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

CSRF vulnerability (CWE-352) in Synology DSM WebAPI enables unauthenticated remote exploitation of a public-facing web application via malicious web pages/links tricking authenticated users, resulting in arbitrary code execution (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-10441Same product: Synology Diskstation Manager
CVE-2024-10442Same product: Synology Diskstation Manager
CVE-2024-50631Same product class: NAS / storage appliance
CVE-2024-11131Same product class: NAS / storage appliance
CVE-2025-13392Same product: Synology Diskstation Manager
CVE-2024-10444Same product: Synology Diskstation Manager
CVE-2025-14713Same product: Synology Diskstation Manager
CVE-2025-30028Same product: Synology Diskstation Manager
CVE-2024-50630Same product class: NAS / storage appliance
CVE-2021-47961Same product class: NAS / storage appliance

Affected Assets

synology
diskstation manager
7.2.1-69057 — 7.2.1-69057-2 · 7.2.2-72803 — 7.2.2-72806
synology
diskstation manager unified controller
3.1-23028 — 3.1.4-23079

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses CSRF by requiring mechanisms to protect the authenticity of web communications sessions, such as anti-CSRF tokens, preventing forged requests that execute arbitrary code.

prevent

Mandates timely identification, reporting, and correction of flaws like this CSRF vulnerability through vendor patching as specified in Synology_SA_24_27.

prevent

Requires validation of HTTP inputs including referer headers and parameters, mitigating CSRF exploitation vectors in the WebAPI framework.

References