Attack Chain

1. Attacker identifies a vulnerable Synology DSM instance running a version prior to 7.2.2-72806-5 or 7.3.1-86003-1.
2. Attacker obtains the distinguished name (DN) of a valid user account. This could be achieved through reconnaissance or data breaches.
3. Attacker crafts a malicious authentication request to the SSO service, leveraging the improper checks for unusual or exceptional conditions.
4. The crafted request utilizes the known DN to bypass the authentication process.
5. The SSO service incorrectly validates the malicious authentication request.
6. The attacker gains unauthorized access to the DSM instance with the privileges associated with the user whose DN was used.
7. The attacker can now access and modify files, settings, and configurations within the DSM.
8. The attacker can install malware, exfiltrate sensitive data, or disrupt services.

Impact

Successful exploitation of CVE-2025-13392 allows remote attackers to bypass authentication on Synology DiskStation Manager (DSM) devices. This can lead to complete compromise of the device and the data stored on it, including sensitive personal and business information. The impact can range from data theft and ransomware attacks to disruption of critical services provided by the NAS. Given the high CVSS score of 8.1, this vulnerability is considered a critical threat.

Recommendation

• Upgrade Synology DiskStation Manager (DSM) to versions 7.2.2-72806-5 or 7.3.1-86003-1, or later to patch CVE-2025-13392.
• Monitor network traffic for suspicious authentication attempts to the Synology DSM SSO service. Deploy the Sigma rules provided to detect anomalous SSO authentication patterns.
• Implement strong password policies and multi-factor authentication to mitigate the impact of potential credential compromise, although this vulnerability bypasses authentication entirely with a known DN.