Ddos 
Synology has released an important security update for its DiskStation Manager (DSM) operating system to address a cluster of vulnerabilities that could allow attackers to manipulate files, leak sensitive data, or knock systems offline.
The vulnerabilities range in severity, with the most critical carrying a CVSS score of 8.0, highlighting a significant risk to the millions of network-attached storage (NAS) devices that power personal and enterprise data hubs globally.
The most widespread group of flaws—including CVE-2026-40530, CVE-2026-4036, and five others—targets the platform’s internal access controls.
According to the advisory, these flaws “allow remote authenticated users to read or write arbitrary or limited files, conduct denial-of-service attacks, and obtain sensitive or non-sensitive information, including arbitrary sharing files”. For organizations with multiple users, this means a single compromised account could potentially be used to bridge into restricted data or disrupt the storage environment for everyone else.
Beyond authenticated threats, the update mitigates several flaws that can be triggered by remote actors or network eavesdroppers:
- Remote Information Disclosure: CVE-2026-40533, CVE-2026-40535, and CVE-2026-40538 allow remote attackers to obtain non-sensitive information, read or write limited files, and conduct limited denial-of-service (DoS) attacks.
- The MitM Pivot: Perhaps more concerning is CVE-2026-40539 (CVSS 7.1), which “allows man-in-the-middle attackers to read or write arbitrary files and conduct denial-of-service attacks”. This vulnerability could be weaponized by an attacker positioned on the same network to hijack file transfers and inject malicious data.
Synology has categorized these updates as Important and strongly recommends that all administrators audit their DSM versions immediately.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
