EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Synology's DiskStation Manager (DSM) operating system, affecting various versions of the product. The vulnerabilities are primarily related to file manipulation and information disclosure, with some allowing remote authenticated users to read or write arbitrary files, conduct denial-of-service attacks, and obtain sensitive information. The most vulnerabilities pose a significant risk to millions of network-attached storage (NAS) devices, potentially leading to data breaches, system disruptions, and unauthorized access to sensitive data. Affected organizations with multiple users may face increased risks of data exposure and storage environment disruptions due to compromised accounts. This security update is essential for maintaining the integrity and confidentiality of stored data, as well as preventing unauthorized access to sensitive information. CVE-2026-4036 with a CVSS score of 6.5 - It is an vulnerability allows remote authenticated users to read or write arbitrary or limited files, conduct denial-of-service attacks, and obtain sensitive or non-sensitive information, including arbitrary sharing files. It is exploitable through the DSM's internal access controls, which can be targeted by remote attackers. CVE-2026-40530 with a CVSS score of 8.0 - It is an vulnerability may allow remote authenticated users to read or modify arbitrary or limited files, launch denial-of-service attacks, and access sensitive or non-sensitive information, including shared files. It can also be exploited through DSM’s internal access control mechanisms, enabling unauthorized abuse of affected components. CVE-2026-40533 with a CVSS score of 5.3 - It is an vulnerability allows remote attackers to obtain non-sensitive information, read or write limited files, and conduct limited denial-of-service (DoS) attacks. CVE-2026-40535 with a CVSS score of 6.5 - It is an vulnerability allows limited file read/write access and potential denial-of-service conditions. CVE-2026-40538 with a CVSS score of 3.7 - It is an vulnerability allows remote access to low-risk data, limited file read or write actions, and restricted denial-of-service (DoS) activity. CVE-2026-40539 with a CVSS score of 7.1 - It is an vulnerability allows man-in-the-middle attackers to read or write arbitrary files and conduct denial-of-service attacks, potentially being used by an attacker positioned on the same network to hijack file transfers and inject malicious data.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Multiple security vulnerabilities have been identified in Synology's DiskStation Manager (DSM) operating system, affecting various versions of the product. The vulnerabilities are primarily related to file manipulation and information disclosure, with some allowing remote authenticated users to read or write arbitrary files, conduct denial-of-service attacks, and obtain sensitive information. The most vulnerabilities pose a significant risk to millions of network-attached storage (NAS) devices, potentially leading to data breaches, system disruptions, and unauthorized access to sensitive data. Affected organizations with multiple users may face increased risks of data exposure and storage environment disruptions due to compromised accounts. This security update is essential for maintaining the integrity and confidentiality of stored data, as well as preventing unauthorized access to sensitive information. CVE-2026-4036 with a CVSS score of 6.5 - It is an vulnerability allows remote authenticated users to read or write arbitrary or limited files, conduct denial-of-service attacks, and obtain sensitive or non-sensitive information, including arbitrary sharing files. It is exploitable through the DSM's internal access controls, which can be targeted by remote attackers. CVE-2026-40530 with a CVSS score of 8.0 - It is an vulnerability may allow remote authenticated users to read or modify arbitrary or limited files, launch denial-of-service attacks, and access sensitive or non-sensitive information, including shared files. It can also be exploited through DSM’s internal access control mechanisms, enabling unauthorized abuse of affected components. CVE-2026-40533 with a CVSS score of 5.3 - It is an vulnerability allows remote attackers to obtain non-sensitive information, read or write limited files, and conduct limited denial-of-service (DoS) attacks. CVE-2026-40535 with a CVSS score of 6.5 - It is an vulnerability allows limited file read/write access and potential denial-of-service conditions. CVE-2026-40538 with a CVSS score of 3.7 - It is an vulnerability allows remote access to low-risk data, limited file read or write actions, and restricted denial-of-service (DoS) activity. CVE-2026-40539 with a CVSS score of 7.1 - It is an vulnerability allows man-in-the-middle attackers to read or write arbitrary files and conduct denial-of-service attacks, potentially being used by an attacker positioned on the same network to hijack file transfers and inject malicious data.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Synology DiskStation Manager to below version: DSM 7.3 to version 7.3.2-86009-2 or above. DSM 7.2.2 to version 7.2.2-72806-7 or above. DSM 7.2.1 to version 7.2.1-69057-10 or above.
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/synology-dsm-security-update-nas-vulnerabilities-2026/