Multiple vulnerabilities in Synology SRM
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2025-29843 CVE-2025-29844 CVE-2025-29845 CVE-2025-29846 |
| CWE-ID | CWE-20 CWE-200 CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Synology SRM Operating systems & Components / Operating system |
| Vendor | Synology Inc. |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Input validation error
EUVDB-ID: #VU105922
Risk: Medium
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2025-29843
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to an unspecified vulnerability. A remote user can bypass implemented security restrictions.
Install updates from vendor's website.
Vulnerable software versionsSynology SRM: 1.0.1-6007 - 1.3-9193-1
CPE2.3- cpe:2.3:o:synology:synology_router_manager:1.0.1-6007:*:*:*:*:*:*:*
- cpe:2.3:o:synology:synology_router_manager:1.0.1-6007-1:*:*:*:*:*:*:*
- cpe:2.3:o:synology:synology_router_manager:1.0.1-6007-2:*:*:*:*:*:*:*
https://www.synology.com/en-global/security/advisory/Synology_SA_25_04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU105923
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-29844
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote user can gain unauthorized access to sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSynology SRM: 1.0.1-6007 - 1.3-9193-1
CPE2.3- cpe:2.3:o:synology:synology_router_manager:1.0.1-6007:*:*:*:*:*:*:*
- cpe:2.3:o:synology:synology_router_manager:1.0.1-6007-1:*:*:*:*:*:*:*
- cpe:2.3:o:synology:synology_router_manager:1.0.1-6007-2:*:*:*:*:*:*:*
https://www.synology.com/en-global/security/advisory/Synology_SA_25_04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Information disclosure
EUVDB-ID: #VU105924
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-29845
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote user to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote user can gain unauthorized access to sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSynology SRM: 1.0.1-6007 - 1.3-9193-1
CPE2.3- cpe:2.3:o:synology:synology_router_manager:1.0.1-6007:*:*:*:*:*:*:*
- cpe:2.3:o:synology:synology_router_manager:1.0.1-6007-1:*:*:*:*:*:*:*
- cpe:2.3:o:synology:synology_router_manager:1.0.1-6007-2:*:*:*:*:*:*:*
https://www.synology.com/en-global/security/advisory/Synology_SA_25_04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU105926
Risk: Low
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-29846
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to improperly imposed security restrictions. A remote user can escalate privileges on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSynology SRM: 1.0.1-6007 - 1.3-9193-1
CPE2.3- cpe:2.3:o:synology:synology_router_manager:1.0.1-6007:*:*:*:*:*:*:*
- cpe:2.3:o:synology:synology_router_manager:1.0.1-6007-1:*:*:*:*:*:*:*
- cpe:2.3:o:synology:synology_router_manager:1.0.1-6007-2:*:*:*:*:*:*:*
https://www.synology.com/en-global/security/advisory/Synology_SA_25_04
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
