Security News > 2023 > January > Synology fixes maximum severity vulnerability in VPN routers
Taiwan-based NAS maker Synology has addressed a maximum severity vulnerability affecting routers configured to run as VPN servers.
VPN Plus Server is a virtual private network server that allows administrators to set up Synology routers as a VPN server to allow remote access to resources behind the router.
"A vulnerability allows remote attackers to possible execute arbitrary command via a susceptible version of Synology VPN Plus Server," Synology said in a security advisory published on Friday.
"Out-of-bounds write vulnerability in Remote Desktop Functionality in Synology VPN Plus Server before 1.4.3-0534 and 1.4.4-0635 allows remote attackers to execute arbitrary commands via unspecified vectors."
Last month, Synology issued a second advisory rated as critical severity and announced that it had patched multiple security vulnerabilities in the Synology Router Manager.
While Synology didn't list the security flaws' CVE IDs, multiple researchers and teams are credited for reporting the patched bugs, with at least two of them having successfully demoed zero-day exploits targeting the Synology RT6600ax router during the first day of the Pwn2Own Toronto 2022 hacking contest.