CVE-2013-6955

Synology DiskStation Manager - Arbitrary File Write via SLICEUPLOAD X-TMP-FILE Header

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-6955. PoCs published by Metasploit, Markus Wulftange, including Metasploit module exploits/linux/http/synology_dsm_sliceupload_exec_noauth.

AI-analyzed exploit summary This Metasploit module exploits CVE-2013-6955 in Synology DiskStation Manager (DSM) versions 4.x by appending arbitrary commands to /redirect.cgi via the SLICEUPLOAD functionality in /webman/imageSelector.cgi, allowing unauthenticated remote command execution as root.

Description

webman/imageSelector.cgi in Synology DiskStation Manager (DSM) 4.0 before 4.0-2259, 4.2 before 4.2-3243, and 4.3 before 4.3-3810 Update 1 allows remote attackers to append data to arbitrary files, and consequently execute arbitrary code, via a pathname in the SLICEUPLOAD X-TMP-FILE HTTP header.

Exploits (2)

exploitdb WORKING POC VERIFIED
by Metasploit · rubyremoteunix
https://www.exploit-db.com/exploits/30470

This Metasploit module exploits CVE-2013-6955 in Synology DiskStation Manager (DSM) versions 4.x by appending arbitrary commands to /redirect.cgi via the SLICEUPLOAD functionality in /webman/imageSelector.cgi, allowing unauthenticated remote command execution as root.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Synology DiskStation Manager (DSM) versions 4.0-4.3 (excluding patched builds)
No auth needed
Prerequisites: Network access to the target's web interface (port 5000 by default) · Vulnerable version of Synology DSM
devstral-2 · analyzed Feb 16, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by Markus Wulftange · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/synology_dsm_sliceupload_exec_noauth.rb

This Metasploit module exploits an unauthenticated remote command execution vulnerability in Synology DiskStation Manager (DSM) versions 4.x by appending arbitrary commands to /redirect.cgi via the SLICEUPLOAD functionality in imageSelector.cgi.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Synology DiskStation Manager (DSM) versions 4.0-4.3 (excluding patched versions)
No auth needed
Prerequisites: Network access to the target's web interface (port 5000 by default) · Vulnerable version of Synology DSM
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1
Core References
US Government Resource third-party-advisory x_refsource_cert-vn
http://www.kb.cert.org/vuls/id/615910

Scores

EPSS 0.8611
EPSS Percentile 99.7%

Details

CWE
CWE-264
Status published
Products (4)
synology/diskstation_manager 4.0
synology/diskstation_manager 4.2
synology/diskstation_manager 4.3
synology/diskstation_manager 4.3-3810
Published Jan 09, 2014
Tracked Since Feb 18, 2026